The National Infrastructure Advisory Council called for mandatory cybersecurity rules for critical infrastructure organizations and the technology vendors that service those sectors, echoing recommendations in the Biden administration’s national cybersecurity strategy.
The National Security Council requested the report from the group of 30 executives and leaders from public and private sector that advises the White House on protecting critical infrastructure. It was adopted on Tuesday.
“The NIAC acknowledges that standards need to be developed with industry input, but standards should ultimately be mandatory when they deal with security vulnerabilities that could impact the provision of critical infrastructure across sectors,” the report states. Additionally, it recommended that software and hardware makers that service critical infrastructure also be covered by cyber mandates.
“For example, it is not effective to place cybersecurity compliance standards on providers of critical infrastructure without applying the same standards up the chain to those who provide operating systems providers depend upon,” the NIAC report says.
The recommendations for critical infrastructure cyber mandates mirrors the Biden administration’s call for regulations in the national cyber strategy released earlier this month. That strategy calls for greater industry accountability by shifting the responsibility and liability to vendors that are often unregulated but provide essential services to critical infrastructure sectors.
The NIAC report notes that, specifically when it comes to cybersecurity, a “weak link in the chain” can have cascading impacts to other critical sectors and recommends outcome-based standards rather than prescriptive ones. “For example, if a disruption in the electric sector denies power to the communications sector for a prolonged period of time, then the communications sector may be unable to provide services to the electric sector. Identifying these critical time-sensitive interdependencies can help to prioritize restoration efforts.”
Experts have noted that the increasing interconnection between critical sectors — as well as rapid digitization — creates a more complex environment where risks are becoming increasingly difficult to predict. NIAC also pointed out that a lack of federal authority over many critical sectors could hinder both the private and public response to an emergency such as a cyberattack or natural disaster.
Some of its other recommendations include developing a common playbook for local government, engaging vulnerable communities in planning and restoration efforts such as low-income, tribal communities and organized labor, enhanced information sharing between sectors, and to analyze “common cause” failures in critical infrastructure supply chains.
Additionally, the advisory group recommends harmonizing standards across the federal government, particularly when it comes to organizations that operate in multiple critical infrastructure sectors.
NIAC also presented examples of potential collaboration between sectors that could mimic the biennial grid security exercise known as “GridEx” that simulates a major attack against the North American grid as an example. That exercise focuses on the electric sector, but the report noted that a collaborative oil and natural gas and electric exercise could prove useful, as well.