The Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) have identified recommended cybersecurity practices intended to serve as the foundation for preliminary control system cybersecurity performance goals.
The recommendations were made to comply with a July 28 presidential memorandum on national security that established a voluntary initiative intended to foster collaboration between the federal government and the critical infrastructure community to improve cybersecurity of control systems.
The memorandum instructed the Department of Homeland Security (DHS) to lead the development of preliminary cross-sector control system cybersecurity performance goals as well as sector-specific performance goals within one year of the date of memorandum. The goals are intended to provide a common understanding of the baseline security practices that critical infrastructure owners and operators should follow to protect national and economic security, as well as public health and safety.
As an initial step in that process, CISA and NIST looked at available control system resources and recommended practices that have been generated by government and the private sector.
CISA and NIST identified nine categories of recommended cybersecurity practices to serve as the foundation for preliminary control system cybersecurity performance goals.
The nine categories are:
- risk management and cybersecurity governance,
- architecture and design,
- configuration and change management,
- physical security,
- system and data Integrity, availability, and confidentiality,
- continuous monitoring and vulnerability management,
- training and awareness,
- incident response and recovery, and
- supply chain risk management.
Each of the nine goals includes specific objectives that support the deployment and operation of secure control systems that are further organized into baseline and enhanced objectives.
All the outlined goals are foundational and represent high-level cybersecurity best practices and are not intended as an exhaustive guide to all facets of an effective cybersecurity program, CISA and NIST said. The enumerated goals are preliminary and were developed and refined with as much interagency and industry input as practical during the initial timeline of the overarching cybersecurity initiative.
The Department of Homeland Security said it expects to conduct much more extensive stakeholder engagement as the goals are finalized in the coming months.