The mission of the Cybersecurity and Infrastructure Security Agency is to lead the national effort to understand, manage, and reduce risk to the cyber and physical infrastructure that Americans rely on every hour of every day.
CISA is not responsible for setting and articulating your organization's cybersecurity policies, controls, and mitigations.
Experts recently reflected on the CISA 2024-2026 strategic plan, asking if intended risk reduction efforts are measurable and impactful, and if implementing the plan's Cyber Performance Goals reduce cyber-risk to critical infrastructure.
We need to better understand the national inventory of operational critical components and how to defend them based on an effects-based, rather than a means-based, approach to protecting critical infrastructure.
Threading the tapestry of risk across critical infrastructure requires a more granular and purposeful model than current approaches deliver.
If the underlying effort from ONCD's national cybersecurity strategy is the development of shared services to reduce costs, especially for target rich, resource poor organizations, operational technology should be a primary focus, not considered out of scope for the ongoing regulation harmonization efforts.
Sector Risk Management Agency Capacity Building In a perfect world, there would be a dedicated cybersecurity subject matter expert at the federal level for each critical infrastructure sector, either within the SRMAs or at CISA. In lieu of this reality, cybersecurity research and development encapsulates the entire supply chain - management of suppliers, enterprise incident management, the development environment, products and services, upstream supply chain, operational technology, and downstream supply chain - aligned to the CISA CPGs as a baseline.
Without contextualizing the broad problem set that is critical infrastructure cybersecurity, we risk two poor outcomes.
First, increasing the cost of compliance-based cybersecurity to the extent that small to medium-sized businesses cannot afford to meet expensive and prescriptive cybersecurity regulations.
CISA Cyber-Physical R&D Gaps Federal cybersecurity research and development has a blind spot when it comes to holistic and national understanding of operational technology and industrial control systems.
Its white paper on RD&I Needs and Strategic Actions for Resilience of Critical Infrastructure has been largely ignored in the broader federal regulatory conversation, despite its release in March 2023.
Gap 1: An integrated analysis of consequences and risk reduction decision factors for critical services that depend on cyber-physical infrastructure systems.
Need: A systemic understanding of interconnected cyber-physical infrastructure risk to critical services from the local to national scales.
Need: Common definitions, standards, and metrics for measuring effectiveness of infrastructure resilience interventions.
Gap 2: User-engagement in cyber-physical infrastructure research to translate resilience knowledge into effective action at the local and regional level.
Need: Empirical investigation of how the regulatory system may constrain or enable enhancements to the resilience of cyber-physical infrastructure.
Need: Identify the institutional conditions for effective infrastructure governance and adaptive capacity.
Onward and Upward In the meantime, baselining critical infrastructure resilience remains one of CISA's major goals for its 2024-2026 strategy.
The broader national cybersecurity strategy has three umbrella focus areas: addressing immediate threats, hardening the terrain, and driving security at scale.
A synergistic goal of the CISA CPGs is to map cybersecurity standards and controls to cybersecurity outcomes.
This Cyber News was published on www.darkreading.com. Publication date: Wed, 06 Dec 2023 15:00:06 +0000