On July 28, 2021, President Biden signed a national security memorandum that seeks to “significantly improve” the cybersecurity of critical infrastructure systems. The “National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems” (the “Memorandum”) reflects the administration’s conclusion that “[t]he cybersecurity threats posed to the systems that control and operate the critical infrastructure on which we all depend are among the most significant and growing issues confronting our Nation.” It builds on President Biden’s May 2021 Executive Order on Improving the Nation’s Cybersecurity,1 which included a focus on operational technology systems and primarily addressed the security practices of government agencies and government contractors.2 With recent cyber attacks affecting a major pipeline, water systems and other critical infrastructure, the Memorandum describes two key actions the administration is taking to respond to this intensifying challenge.
First, the Memorandum describes the establishment of the Industrial Control Systems Cybersecurity Initiative. This is to be “a voluntary, collaborative effort between the Federal Government and the critical infrastructure community to significantly improve the cybersecurity of these critical systems.” Through this initiative, the federal government will encourage and advance the “deployment of technologies and systems that provide threat visibility, indications, detection, and warnings, and that facilitate response capabilities for cybersecurity in essential control system and operational technology networks.” The stated goal of this initiative is to “greatly expand deployment of these technologies across priority critical infrastructure.” This will help companies “monitor control systems to detect malicious activity and facilitate response actions to cyber threats.” To support this effort, the Memorandum notes that the government will “work with industry to share threat information for priority control system critical infrastructure throughout the country.”
The Memorandum notes that the initiative began with a pilot program involving the Electricity Subsector in April. (Separately, the administration has reported that over 150 electricity utilities accounting for over 90 million residential customers have participated.)3 The initiative is now focused on natural gas pipelines, and “[e]fforts for the Water and Wastewater Sector Systems and Chemical Sector will follow later this year.”
Second, the Memorandum calls for the development of critical infrastructure cybersecurity performance goals that will “further a common understanding of the baseline security practices that critical infrastructure owners and operators should follow.” These performance goals, which ultimately would include both cross-sector and sector-specific elements, are intended to provide guidance on best practices for “cybersecurity practices and postures” to guide critical infrastructure owners and operators. The Memorandum requires the development of preliminary cross-sector goals—which are intended to be consistent across all critical infrastructure sectors—by September 22, 2021, with a final version issued by July 28, 2022. It also calls for the development and issuance of sector-specific critical infrastructure cybersecurity performance goals by July 28, 2022. (Notably, the Memorandum does not explain how these performance goals would interact with the NIST Framework for Improving Critical Infrastructure Cybersecurity, which has been widely adopted across the country.) Although the goals would not be mandatory, the impact will likely be significant. For example, such goals could influence legislation considered in Congress, guide regulatory expectations or develop into industry standards that would be taken into consideration if a cybersecurity incident leads to litigation.
The Memorandum thus adds a focus on critical infrastructure to the Biden administration’s multi-faceted response to cybersecurity threats to US systems and enterprises. Businesses, especially those in or with ties to critical infrastructure sectors, will benefit from closely watching how the administration continues to work with the private sector in confronting this challenge and taking appropriate steps to reduce associated legal risks.4