Advancing the security and resilience of industrial control systems (ICS) is one of the top priorities of the Cybersecurity and Infrastructure Security Agency (CISA). The agency will measure the government’s success in protecting publicly and privately controlled critical infrastructure from cyberattacks in the coming years. CISA’s strategy will develop baseline cybersecurity performance goals consistent across all critical infrastructure sectors. In this article at Nextgov, Mariam Baksh explains why big companies want to avoid the agencies’ use of related performance goals in new regulations.
What Are Industrial Control Systems at Risk?
Industrial control systems include the systems, networks, devices, and controls used in operating or automating industrial processes. In addition, manufacturing, energy, transportation, and water treatment operations rely on ICS. “Measuring progress in cybersecurity has been a notorious sore point from the start of targeted policymaking efforts on the issue,” says Baksh. Additionally, asset owners often consider ICS as a challenge when it comes to implementing a top-down policy. It is here that CISA’s voluntary cross-sector Cybersecurity Performance Goals (CPGs) play a crucial role in establishing a standard set of fundamental cybersecurity practices for critical infrastructures.
Can CPGs Help?
By implementing CPGs, business owners can reduce security risks to critical infrastructure operations and citizens’ personal information. CPGs help in:
- Creating a baseline set of cybersecurity practices applicable across the critical infrastructure
- Setting a benchmark for critical infrastructure operators to measure their cybersecurity maturity and improve upon it
How Will CISA Measures Raise Industrial Control Systems Security Standards?
The security measures enable owners and operators of critical infrastructure to measure and improve their cybersecurity maturity. Furthermore, these also offer a standardized evaluation of an organization’s activities and reduce the risks of known threats. The CPGs cover accounts security, data security, device security, vulnerability management, response and recovery, and supply chain/third-party management in industrial control systems. The goals include network segmentation and detecting relevant threats and tactics. These measures allow operators and asset owners to work toward shared goals. Alongside this, these offer security officers flexibility and expertise to implement them in ways best suited to their organizations.
To read the original article, click on https://www.nextgov.com/cybersecurity/2022/09/cisa-plans-measure-effect-coming-standards-industrys-cybersecurity/377363/.