The Biden administration issued a national security memorandum on improving cybersecurity for critical infrastructure control systems to address what it describes as a “woefully inadequate” security posture.
The memorandum was accompanied by transcripts of remarks made by a “senior administration official” who said the edicts are necessary because “we have a patchwork of sectoral laws that have been passed piecemeal, usually in response to discreet security threats in particular areas that have attracted public attention.
“So our current position is woefully inadequate given the evolving threat we face today,” the unnamed official added. “We really kicked the box for a long time.”
The memo outlines plans to change that, with an “Industrial Control Systems Cybersecurity Initiative” that sees government and industry working together to set security baselines. The administration also wants security baselines to become consistent across all critical infrastructure areas.
The memo instructs the secretary of the Department of Homeland Security to publish preliminary targets for control systems in critical infrastructure sectors no later than September 22, 2021. Within a year, the administration expects this. that the “final objectives of the intersectoral control system” be defined. .
Despite the transcript repeatedly referencing the absence of laws requiring certain safety practices and mentioning recent mandates introduced by the Transportation Security Administration to set safety requirements for pipeline operators, the memo does not discuss whether critical infrastructure operators must be compelled to act. .
Instead, the memo promises that US government risk management agencies “will work with stakeholders, owners and operators of critical infrastructure to implement the principles and policy outlined in this memorandum.” ®