Summary: There are several regulatory entities that govern various aspects of organizations’ operations. Many regulations are currently in place to enforce cybersecurity practices across industries and sectors. Some significant regulations that affect critical infrastructure and require compliance are outlined below, along with resources that can help guide an organization looking to establish a robust security posture and align with compliance rules.

One of the significant factors that an enterprise must consider when deciding how to approach building a cybersecurity strategy is compliance with various security regulations. Those who fail to meet the standards set out by government agencies and other regulatory entities may face consequences such as fines, exclusion from certain benefits afforded to compliant companies, or even criminal charges. As individuals and organizations gain more awareness of cyber threats and the determination to stop them, regulations are updated and amended to maintain the highest possible security standard. It is vital for organizations to stay on top of the regulatory mandates they are subject to, the consequences of non-compliance, and the best ways to ensure conformity to the regulations.

Regulatory Mandates and Strategies

The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) was recently signed into law and aims to increase cyberattack transparency. It requires companies in critical infrastructure sectors, such as financial services, to report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA). One major issue that CIRCIA attempts to address is the tendency of some companies to simply pay a ransom when inflicted with ransomware rather than reporting the attack or otherwise handling it. Organizations are encouraged to fortify their security strategies and fine-tune their crisis management systems to make compliance with this act easier.

The North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) plan is a set of requirements outlined by NERC to regulate, monitor, and manage the Bulk Electric System’s (BES) cybersecurity posture. It establishes a baseline of cybersecurity measures that all entities under the purview of NERC must adhere to. These measures include identifying critical assets, conducting regular risk analyses, defining policies for monitoring and governing access, implementing firewalls, and enforcing IT controls.

ISO 27001 is a leading international standard for information security, put out by the International Organization for Standardization (ISO) in collaboration with the International Electrotechnical Commission (IEC). The main goals of ISO 27001 are to bolster and enforce data confidentiality, integrity, and availability. The standard details a range of compliance requirements regarding the context of the organization, leadership, planning, support, operation, performance evaluation, and improvement.

The International Society for Automation also works with the IEC for ISA/IEC 62443, a group of standards of information security for automated systems in more than 20 industries. The standards outline not only the requirements for compliance but also guidance on achieving full compliance and bolstering security. They stress shared responsibility, emphasizing that stakeholders must work together and agree on security goals and measures and the range of requirements for automation and control systems security.

The TSA Security Directive for pipelines is a recently revised document that lays out important cybersecurity requirements for oil and natural gas pipelines. In 2021, a major ransomware attack on a pipeline highlighted the need for more robust security measures. The directive aims to enforce performance-based measures rather than prescriptive ones, fortifying the cybersecurity of critical infrastructure sectors according to industry expertise and risk mitigation. Requirements of the directive include enforcing network segmentation, access control, monitoring, and detection.

Implementing Cybersecurity Measures

The National Institute of Science and Technology’s Cybersecurity Framework (NIST CSF) is a set of guidelines for organizations to follow to mitigate cybersecurity risk. It details best practices for the identification and protection of assets, detection and response to threats, and incident remediation. Recently, NIST released a series of potential changes based on feedback and requests from industry stakeholders. These new and changed guidelines include increasing aid in implementation, emphasizing governance and supply chain risk management, and increasing understanding of measurement and assessment.

The CISA has published Cross-Sector Cybersecurity Performance Goals in response to a July 2021 White House security memorandum. These goals are a set of cybersecurity practices that information technology (IT) and operational technology (OT) owners and operators should prioritize for a baseline of security. These guidelines are intended to supplement NIST’s CSF. They include information on cybersecurity best practices in eight areas: account security, device security, data security, governance and training, vulnerability management, supply chain/third party, response and recovery, and other—an umbrella category that covers such issues as network segmentation and email security.

The White House’s National Cybersecurity Strategy is designed to address the increasing volume and risk of cyber threats and protect individuals, organizations, and vital infrastructure from cyberattacks. It is built on the five pillars of defending critical infrastructure, disrupting and dismantling threat actors, shaping market forces to drive security and resilience, investing in a resilient future, and forging international partnerships to pursue shared goals. The focus on protecting infrastructure is notable, particularly the emphasis on the vulnerability of the energy sector.

Conclusion

Depending on the sector, industry, or specific purpose of an enterprise, certain regulatory mandates may or may not apply. It is vital for any business to understand what regulations affect its operations, what they are required to do in order to remain in compliance with those regulations, and how to implement security policies and measures to conform to those requirements.

ITEGRITI has deep experience across critical infrastructure cybersecurity programs, compliance, risk, and audit.  Contact us today to learn how we can leverage this experience to help you accomplish your cybersecurity goals.

Contact Us: https://itegriti.com/contact/

ITEGRITI Services: https://itegriti.com