Protecting critical infrastructure such as water supplies, electricity grids, and food production is a national priority. Events like natural disasters or cyber attacks can disrupt services that Americans need for daily life. Many federal agencies are tasked with protecting the nation’s critical infrastructure and look to the Cybersecurity and Infrastructure Security Agency (CISA) for leadership on how to do it.
A 2021 law, the William M. (Mac) Thornberry National Defense Authorization Act (FY21 NDAA), expanded these agencies’ responsibilities and added some new ones. CISA is working on guidance and more to help agencies implement these responsibilities and a new report from the Government Accountability Office (GAO) urges CISA to set timelines for completing this work.
During GAO’s research, some officials from various critical infrastructure agencies described new activities to address the responsibilities set forth in the act, and many reported having already conducted related activities. For example, the act added risk assessment and emergency preparedness as responsibilities not previously included in a key directive for sector risk management agencies. New activities officials described to address these responsibilities included developing a risk analysis capability and updating emergency preparedness products.
Challenges were also reported. Critical infrastructure agency officials cited two challenges in implementing their responsibilities: the voluntary nature of private sector participation; and limited or no dedicated resources. Officials for 11 of the 16 critical infrastructure sectors also stated that CISA could improve its support, including coordination and information sharing with them.
CISA officials told GAO that they are in the process of updating key guidance documents, including the 2013 National Infrastructure Protection Plan and templates for revising sector-specific guidance documents. CISA officials also described efforts underway to improve coordination with sector partners, such as reconvening a leadership council. Sector risk management agency officials for a majority of critical infrastructure sectors reported that additional guidance and improved coordination from CISA would help them implement their statutory responsibilities, GAO said. However, the watchdog pointed out that CISA has not developed milestones and timelines to complete its efforts. GAO recommends that CISA establish milestones and timelines for its efforts to provide guidance and improve coordination and information sharing that would help agencies implement their FY21 NDAA responsibilities, and ensure the milestones and timelines are updated through completion. The Department of Homeland Security concurred and agreed with the importance of having a coordinated plan, including milestones and timelines.
Alongside this report, GAO also released its third in a series of four reports on federal cybersecurity, which focuses on protecting cyber critical infrastructure. GAO has made 106 public recommendations in this area since 2010. Nearly 57% of those recommendations had not been implemented as of December 2022.
Critical infrastructure is at increasing risk of a cyber attack, and has already seen nefarious activity. The U.S. grid’s distribution systems, for example, which carry electricity from transmission systems to consumers and are regulated primarily by states, are a particular risk. Distribution systems are growing more vulnerable, in part because of industrial control systems’ increasing connectivity. As a result, threat actors can use multiple techniques to access those systems and potentially disrupt operations.
The Department of Energy (DOE) developed plans to help combat these threats and implement the national cybersecurity strategy for the grid. However, GAO says DOE’s plans do not address distribution systems’ vulnerabilities related to supply chains. By not having plans that address the improvement to grid distribution systems’ cybersecurity, GAO is concerned that DOE’s plans will likely be of limited use in prioritizing federal support to states and industry.