Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Blog Tenable

S'abonner

Cybersecurity for Critical Infrastructure: How CISA Programs, New Legislation Can Help

Recent efforts by the U.S. Cybersecurity and Infrastructure Agency, combined with significant bills coming out of the House and Senate, are putting critical infrastructure operators on a path towards achieving cross-sector visibility and strong operational technology security.

Nearly six months ago, the global coronavirus pandemic necessitated a massive, sudden pivot to remote work. Organizations and industries that never planned to enable employees to work from home found themselves scrambling to adapt. That pivot came with cybersecurity ramifications, forcing organizations to reevaluate their threat landscape and risk environment. For critical infrastructure owners and operators in sectors such as  healthcare, communications, defense and energy the shift to remote work was particularly concerning.

For instance, during this time, the pharmaceutical industry has been hard at work to develop treatments and vaccines for COVID-19, the illness caused by the novel coronavirus — a key step towards a return to normal. But as organizations focused on this work, bad actors, foreign adversaries and criminal organizations have stepped up cyberattacks against the industry. The risks of an attack on the development, manufacture and distribution of a vaccine pose significant national security, economic and societal dangers that put the importance of secure critical infrastructure into perspective.

In the U.S., the Cybersecurity and Infrastructure Security Agency (CISA) has been working to protect federal and critical infrastructure IT systems from exploitation by malicious actors during COVID-19.  But even before the pandemic, CISA had been working to secure industrial control systems (ICS) connected to critical infrastructure, including commercial manufacturing plants. In July, CISA released its ICS Strategy, which calls for empowering and educating ICS operators to secure their operations against cyberthreats. This is key: Operators from all sectors need tools, resources and expertise to defend themselves using basic cyber hygiene and vulnerability management practices. Galvanizing the ICS community to work across sectors and with government agencies will have a tangible impact on their security posture. CISA is leading the way in that plan.

But cyber hygiene and vulnerability management aren't enough to completely mitigate today's advanced threats. We also need cross-sector visibility and strong overall OT security and collaboration to help manage threats. CISA is currently in the process of refreshing the National Infrastructure Protection Plan, which was last updated in 2013. CISA is engaging with public and private stakeholders across all critical infrastructure sectors and from all levels of government in the update to this plan. Cross sector collaboration should be a key feature in the updated plan. In the instance of grid security, electric utilities should work together, not against each other, on security. Pharmaceutical companies should be sharing best practices to keep COVID-19 vaccine information and manufacturing plants secure.

CISA has also released cybersecurity best practices through its Cyber Essentials toolkits series. The most recent release, Essential Elements: Your Systems, leads with the essential action of learning what is on your network. This inventory of hardware and software assets is crucial because an organization's security team can't effectively protect connected assets if it's unaware of their existence.

As I noted in August during a webinar with Barak Perelman, Tenable's VP of OT Security, several of the security issues for critical infrastructure industries right now stem from a lack of awareness, and many OT operators don't know where to start. These measures will help to bridge that gap.

While CISA makes important strides on OT security through the agency process, Congress is also keenly aware of the threat. The Senate is working on the American Energy Innovation Act, which contains several provisions, including the PROTECT Act, the Enhancing Grid Security through Public-Private Partnership Act and the Energy Cybersecurity Act, that would help make significant strides towards securing the electric grid and the nation's energy infrastructure. Here's a closer look at some of these recent efforts:

  • The PROTECT Act, introduced by Sens. Lisa Murkowski (R-Alaska) and Joe Manchin (D-W.Va.), would establish a grant program within the Department of Energy (DOE) to help improve the cyber defenses of rural electric cooperatives — which are among our most vulnerable electric infrastructure — giving cooperatives the support they need to make vital cyber improvements. The act would also direct the Federal Energy Regulatory Commission (FERC) to use rate incentives to encourage electric utilities to invest in cybersecurity.  

  • The Enhancing Grid Security through Public-Private Partnership Act, introduced by Sens. Cory Gardner (R-Colo.) and Michael Bennet (D-Colo.) in the Senate, and Reps. Jerry McNerney (D-Calif.) and Bob Latta (R-Ohio) in the House, would give DOE the authority to provide cybersecurity assistance through a public-private partnership to resource-constrained electric utilities by providing tools for self-assessment, sharing of best practices and assistance with threat assessments and training.
  • The Energy Cybersecurity Act, introduced by Sens. Maria Cantwell (D-Wash.) and Martin Heinrich (D-N.M.), directs DOE to develop advanced cybersecurity applications and technologies for the energy sector through advancing the security of field devices and third-party control systems. DOE engagement with other appropriate federal agencies, the national laboratories and with industry stakeholders is a key component of this legislation.


In addition to the above measures, the House is currently considering the Clean Economy Jobs and Innovation Act, which includes cybersecurity provisions associated with electric grid modernization, smart buildings and smart manufacturing. It also incorporates cybersecurity research and development legislation sponsored by Reps. Ami Bera (D-Calif.) and Randy Weber (R-Texas), including important sections on grid resilience and vulnerability testing to improve energy sector cybersecurity.

This agency work and these aforementioned bills coming out of the House and Senate are all important and thoughtful steps towards securing the nation's energy infrastructure, but we shouldn't stop innovating and improving. For instance, energy cybersecurity legislation should require DOE to work closely with CISA on interoperable information sharing.

The American Energy Innovation Act and the Clean Economy Jobs and Innovation Act have several vital energy cybersecurity components and Congress should work quickly to further refine and pass this legislation.

As Perelman noted in our discussion last month, 15 years ago, we had to convince people that the threat to the electric grid was real. Now, Congress is taking important steps towards securing our OT infrastructure. I look forward to working with my colleagues and government partners on this important issue as industry co-chair of the Control Systems Working Group (CSWG). In this role, I'm thrilled to help develop the CSWG's strategy and work with industry and government stakeholders to implement our plans for collaboration and information sharing across sectors and fields to improve OT security and ensure we have a strong critical infrastructure foundation for years to come.

En savoir plus

Articles connexes

Êtes-vous à la merci des derniers exploits ?

Indiquez votre adresse e-mail pour recevoir les dernières alertes de Cyber Exposure.

tenable.io

GRATUIT PENDANT 30 JOURS


Bénéficiez d'un accès complet à une plateforme cloud moderne de gestion des vulnérabilités qui vous permet de visualiser l'ensemble de vos assets et d'en assurer le suivi avec une précision inégalée.

tenable.io ACHETER

Bénéficiez d'un accès complet à une plateforme de gestion des vulnérabilités moderne hébergée dans le cloud qui vous permet de consulter l'ensemble de vos assets et d'en assurer le suivi, tout en bénéficiant d'une précision inégalée. Souscrivez votre abonnement annuel dès aujourd'hui.

65 assets

Sélectionnez votre option d'abonnement :

Acheter maintenant

Essayer Nessus Professional gratuitement

GRATUIT PENDANT 7 JOURS

Nessus® est aujourd'hui le scanner de vulnérabilités le plus complet du marché. Nessus Professional vous donne les moyens d'automatiser le processus de scan des vulnérabilités, d'écourter vos cycles de mise en conformité et d'impliquer votre équipe IT.

Acheter Nessus Professional

Nessus® est aujourd'hui le scanner de vulnérabilités le plus complet du marché. Nessus Professional vous donne les moyens d'automatiser le processus de scan des vulnérabilités, d'écourter vos cycles de mise en conformité et d'impliquer votre équipe IT.

Achetez une licence pluriannuelle et faites des économies. Ajoutez l'assistance avancée pour bénéficier de l'accès 24 h/24 et 7 j/7 à une assistance par téléphone, via la communauté et via le chat.

Sélectionnez votre licence

Achetez une licence pluriannuelle et faites des économies.

Ajoutez une assistance et une formation

Tenable.io ESSAI GRATUIT PENDANT 30 JOURS

Bénéficiez d'un accès complet à une plateforme cloud moderne de gestion des vulnérabilités qui vous permet de visualiser l'ensemble de vos assets et d'en assurer le suivi avec une précision inégalée.

Tenable.io ACHETER

Bénéficiez d'un accès complet à une plateforme de gestion des vulnérabilités moderne hébergée dans le cloud qui vous permet de consulter l'ensemble de vos assets et d'en assurer le suivi, tout en bénéficiant d'une précision inégalée. Souscrivez votre abonnement annuel dès aujourd'hui.

65 assets

Sélectionnez votre option d'abonnement :

Acheter maintenant

Essayer Tenable.io Web Application Scanning

GRATUIT PENDANT 30 JOURS

Profitez d'un accès complet à notre nouvelle offre Web Application Scanning conçue pour les applications modernes et s'intégrant à la plateforme Tenable.io. Scannez l'ensemble de votre portefeuille en toute sécurité et avec une grande précision, sans effort manuel important ni interruption des applications web stratégiques. Abonnez-vous dès maintenant.

Acheter Tenable.io Web Application Scanning

Bénéficiez d'un accès complet à une plateforme de gestion des vulnérabilités moderne hébergée dans le cloud qui vous permet de consulter l'ensemble de vos assets et d'en assurer le suivi, tout en bénéficiant d'une précision inégalée. Souscrivez votre abonnement annuel dès aujourd'hui.

5 FQDN

3 578,00 $

Acheter maintenant

Essayer Tenable.io Container Security

GRATUIT PENDANT 30 JOURS

Profitez d'un accès complet à la seule offre de sécurité des conteneurs intégrée dans une plateforme de gestion des vulnérabilités. Surveillez les images de conteneur pour détecter d'éventuelles vulnérabilités, malwares ou violations des politiques. Intégrez la solution aux systèmes d'intégration et de déploiement continus (CI/CD) pour soutenir votre démarche DevOps, renforcer la sécurité et assurer la conformité aux politiques de l'entreprise.

Acheter Tenable.io Container Security

Tenable.io Container Security permet la mise en œuvre sécurisée et fluide de processus DevOps en fournissant une visibilité sur l'état de sécurité des images de conteneur, notamment en ce qui concerne les vulnérabilités, malwares et violations des politiques, par le biais d'une intégration au processus de compilation.

Essayer Tenable Lumin

GRATUIT PENDANT 30 JOURS

Visualisez et explorez votre Cyber Exposure, suivez la réduction des risques au fil du temps et comparez-vous à vos pairs grâce à Tenable Lumin.

Acheter Tenable Lumin

Contactez un commercial pour découvrir comment Lumin peut vous aider à obtenir une visibilité sur l'ensemble de votre entreprise et à gérer votre cyber-risque.

Essayer Tenable.cs

GRATUIT PENDANT 30 JOURS Bénéficiez d'un accès complet pour détecter et corriger les erreurs de configuration d'infrastructure cloud dans les phases de conception, build et exécution du cycle de vie du développement logiciel.

Acheter Tenable.cs

Contactez un commercial pour en savoir plus sur la sécurité dans le cloud et découvrir comment sécuriser chaque étape du code au cloud.