The federal government’s voluntary security guidelines for critical infrastructure operators aren’t particularly burdensome or stringent — they’re downright basic, industry analysts said.
The cybersecurity performance goals published Thursday by the Cybersecurity and Infrastructure Security Agency are presented as a “baseline” to “help establish a common set of fundamental practices for cybersecurity practices for critical infrastructure.”
Considering the threats confronting organizations in sectors deemed critical to the national and economic security of the U.S., the benchmarks outlined by CISA might appear timid to some.
But for federal authorities, that’s exactly the point — it’s a start that, if implemented, can meaningfully reduce the impact of known risks.
“The guidelines are the basics, but I suppose I would classify them one step higher than just pure basics. Let’s call it basics plus,” Chester Wisniewski, principal research analyst at Sophos, said via email.
“Certainly most of the guidelines have been established practice for a very long time, but others, like disabling macros by default or carefully assessing supply chain risks are not widely discussed outside of security circles,” Wisniewski said.
The guidelines also confirm that most critical infrastructure operators aren’t even doing the basics today, he and other analysts told Cybersecurity Dive.
“That was my big takeaway — critical infrastructure security is all over the map,” said Zeus Kerravala, principal analyst at ZK Research. “My experience is, most critical infrastructure lacks any kind of advanced security.”
CISA concurs with that assessment, noting many organizations haven’t adopted fundamental security protections. The lack of basic protections, such as multifactor authentication, stronger password management, and maintaining backups “repeatedly exposes critical infrastructure to damaging cyber intrusions,” the agency wrote.
By acknowledging this absence, CISA conveys a broader need to establish consistent standards that should be adopted by all critical infrastructure sectors. Gaps in cybersecurity maturity between these sectors can be exploited by adversaries, the agency said.
While the cybersecurity performance goals do bear elements of repetition, such as adopting MFA, there’s nothing wrong with getting the message out in a more formal and descriptive manner, said Ron Westall, senior analyst and research director at Futurum Research.
Other guidance, such as changing default passwords is a no-brainer, but it’s not implemented enough, Westfall said.
CISA’s new guidance comes as part of a larger effort by the federal government to bolster security across a range of sectors, including the electric power sector.
The Federal Energy Regulatory Commission is considering developing new rules for distributed energy resources on the bulk electric system, which an October report from the U.S. Department of Energy concluded “pose emerging cybersecurity challenges to the electric grid.”
Smaller organizations struggle to meet minimum standards
Critical infrastructure represents a broad swath of organization types and sizes. CISA notes organizations with limited resources, typically small- and medium-sized businesses, struggle to determine where to start and prioritize investments in cybersecurity.
Some of the cybersecurity performance goals might appear elemental for a massive critical infrastructure operator, but many smaller organizations haven’t achieved those minimum standards.
“The cybersecurity performance goals are intended to be a floor, not a ceiling, for what cybersecurity protections organizations should implement to reduce their cyber risk,” CISA said in the guidance.
Kerravala concluded: “I look at this as a crawl step towards better critical infrastructure security with walk and run to come.”
Analysts roundly agree CISA is taking a positive step by organizing these baseline cybersecurity standards into a single document and corresponding checklist for critical infrastructure operators to track their progress, but note more could be done.
“For now, considering the terrible state of most critical infrastructure operators, this is likely enough. It will help them attain achievable progress and once they are there we can advance our expectations in lockstep to be sure to provide a newer, tougher set of guidelines that will be achievable from that point,” Wisniewski said.
“Like it or not, these guidelines are important at coaxing industry into at least the bare minimums, which sadly are currently ignored,” Wisniewski said.
Because the majority of U.S. critical infrastructure is owned and operated by private industry, government agencies must either force adherence via regulation, incentivize organizations to implement these standards, or facilitate a combination of both, said Katell Thielemann, VP analyst at Gartner, said via email.
These efforts “help set the stage for this ‘we’re all in this together’ mindset, even if they are unlikely to dramatically move the needle on their own,” Thielemann said.