CISA Unveils Critical Infrastructure Reporting Rule – Source: securityboulevard.com

The Cybersecurity and Infrastructure Security Agency (CISA) issued a Notice of Proposed Rulemaking (NPRM) for the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022.

Under this rule, covered entities must report significant cyber incidents within 72 hours of discovery, along with ransom payments within 24 hours.

CISA Director Jen Easterly emphasized the importance of the rule in enhancing cybersecurity coordination and response efforts across industry and government sectors.

Implementation of CIRCIA will enhance CISA’s cybersecurity capabilities, Easterly said, by leveraging incident and ransomware payment data to detect patterns, address critical information gaps, and swiftly assist entities impacted by cyberattacks.

Sharing cyber incident information enables CISA to provide timely assistance and warnings to prevent further victimization, while also aiding in identifying trends for homeland protection efforts.

“It will allow us to better understand the threats we face, spot adversary campaigns earlier, and take more coordinated action with our public and private sector partners in response to cyber threats,” Easterly said in a statement announcing the rule. “We look forward to additional feedback from the critical infrastructure community as we move towards developing the Final Rule.”

The proposed rule is estimated to cost $2.6 billion and potentially affect over 316,000 entities.

President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act in March 2022, but the CISA’s regulatory activities, including rulemaking, are ongoing. The NPRM was published on April 4, 2024, initiating a public comment period until June 3, 2024. CISA is collaborating with various entities and stakeholders to develop the final rule, which is expected to be published 18 months after the NPRM.

Top-of-Mind Questions

Callie Guenther, senior manager of cyber threat research at Critical Start, says implementing the act presents several challenges, including varying levels of cybersecurity maturity across sectors, the need for clear guidelines on what constitutes a “significant” cyber incident, and potential underreporting due to concerns over legal liability and reputation damage.

“To address these, a unified framework tailored to sector-specific needs, alongside incentives for voluntary sharing of threat intelligence, can enhance collaboration and compliance,” Guenther added.

Companies should be proactive about this new requirement. Prepare now, so that you have a clear playbook for when an incident occurs, said Jose Seara, CEO at DeNexus.

This starts by knowing the cyber risk that the organization faces and sharing with stakeholders the nature of those risks, financial losses associated with potential cyber incidents, and which site or facility is at risk.

“With a cyber risk program in place, companies will be ready to rapidly assess whether a cyber event is material,” Seara said. “In addition, they gain visibility into risk mitigation strategies and can optimize their cybersecurity investments.” This is particularly important in capital-intensive environments with cyber-physical assets as commonly found in critical infrastructure companies, he added.

Marcus Fowler, CEO of Darktrace Federal, noted that critical infrastructure providers and manufacturing companies are increasingly pursuing IT and operational technology (OT) convergence.

“The data collection and analysis benefits can dramatically improve production efficiency, maintenance, and scaling,” Fowler said. However, as OT security struggles between legacy systems and the expanding wave of IT and OT interconnectivity within their environments, the risk of cyber-physical attacks continues to grow.

“With IT/OT convergence expanding attack surfaces, security personnel have increased workloads that make it difficult to keep pace with threats and vulnerabilities,” Fowler said.

Considering the significant estimated cost and impact on a wide range of entities, it’s crucial to balance the rule’s effectiveness with its financial and operational feasibility, Guenther advised. Policymakers and organizations should consider phased implementation based on entity size and sector criticality, provide financial and technical support to smaller entities, and continuously assess the rule’s cost-benefit ratio to adjust requirements as necessary.

“Determining the scope of covered entities should involve criteria such as the entity’s role in national and economic security, the potential impact of a cyber incident on public safety and health, and the entity’s dependency on digital infrastructure,” Guenther explained.

Flexibility in compliance requirements, considering sector-specific risks and vulnerabilities, can ensure broad protection of critical infrastructure without imposing excessive burdens on any single sector.

Seara points out that industry sectors with cyber-physical systems or Operational Technology (OT), including energy, transportation or healthcare, rely on equipment that is complex to upgrade. “Identifying the most critical cyber risk is even more important for those sectors so that alternative methods such as network segmentation of obsolete or unpatchable environments are put in place,” he said.