U.S. Homeland Security Launches New Critical Infrastructure Security Guidance

Critical infrastructure operators in the United States have new guidance around security and resilience, especially when it comes to emerging risks, geopolitical threats, and artificial intelligence (AI).

On 30 April, the White House National Security Council (NSC) published a National Security Memorandum (NSM) on Critical Infrastructure Security and Resilience.

This new memorandum is designed to update guidance from a decade ago and account for changes to the threat environment, which has shifted from “counterterrorism to strategic competition, advances in technology like artificial intelligence, malicious cyber activity from nation-state actors, and the need for increased international coordination,” according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

The memorandum comes out shortly after a Russia-linked hacking group claimed responsibility for a cyberattack targeting a wastewater treatment plant in Indiana. The utility confirmed that it had been targeted, but denied that the facility’s systems had been compromised. CISA and other U.S. security agencies found that pro-Russia hackers exploited shoddy security practices at multiple U.S. water plants in recent cyberattacks, CNN reported.

The NSM empowers the U.S. Department of Homeland Security (DHS) to lead a whole-of-government effort to secure critical infrastructure, with CISA acting as the coordinator. The NSM “elevates the importance of minimum security and resilience requirements within and across critical infrastructure sectors, consistent with the National Cyber Strategy, which recognizes the limits of a voluntary approach to risk management in the current threat environment,” CISA explained.

The memorandum also reaffirms the designation of 16 critical infrastructure sectors and taps sector risk management agencies (SRMAs) responsible for managing risk within each one. For example, CISA will serve as the SRMA for eight sectors and one subsector: chemical, commercial facilities, critical manufacturing, emergency services, IT, communications, dams, nuclear, and the electric subsector.

We’re honored to work with @WhiteHouse NSC to overhaul PPD-21, paving the way for NSM. As National Coordinator, we're committed to enhancing critical infrastructure resilience. Learn more at https://t.co/jfYZyTwl7M. pic.twitter.com/tmysOfZyZD

— Cybersecurity and Infrastructure Security Agency (@CISAgov) April 30, 2024

SRMAs are intended to bring institutional knowledge, specialized expertise, and established relationships across the sector to help private-sector critical infrastructure operators share information and manage risk. As stated in the NSM, SRMAs will:

1. Serve as day-to-day federal interfaces for the prioritization and coordination of sector-specific activities, including the provision of technical expertise and assistance, serving as the federal government coordinating council chair; and participating in cross-sector coordinating councils. Continually collaborate and communicate through regular and appropriate outreach and engagement mechanisms with their sector’s owners and operators, promoting the use of risk mitigation, to include government-furnished capabilities and services for state, local, tribal, and territorial governments; owners and operators; and other non-federal entities.
2. Lead outreach to owners and operators within their respective sectors on security and resilience issues, consistent with their available authorities.
3. Designate the accountable senior officials—assistant secretary equivalent or above—to serve as the coordinators of the SRMA function, with the ability to delegate responsibilities to other senior leaders within their agencies. The designees will be responsible and accountable for the implementation and performance of all SRMA roles and responsibilities.
4. Lead sector risk management within their sector and support cross-sector risk management, including establishing and implementing programs or initiatives to assist owners and operators and state, local, tribal, and territorial governments with identifying, understanding, planning for, and mitigating risks to the systems, assets, or services in their respective sector. This should include recommending sector‑specific measures to protect critical infrastructure.
5. Identify, assess, and prioritize sector-specific risk and support cross-sector and national risk assessment efforts.
6. Facilitate the identification of essential critical infrastructure-related workforce needs and priorities for security and resilience.
7. Incorporate identified national priorities, including Defense Critical Infrastructure (DCI), climate change, and emerging technology, into sector risk management responsibilities.
8. Identify sector-specific information and intelligence needs and priorities, in consultation with owners and operators, and facilitate the exchange of information and intelligence, as appropriate, regarding risks to sector-specific critical infrastructure.
9. Share and receive information and intelligence directly with critical infrastructure owners and operators in their respective sectors, as appropriate and in coordination with the intelligence community.
10. Support domestic incident management, emergency preparedness, and national continuity, including federal mission resilience.
11. Serve as the lead federal agencies for certain domestic incidents primarily impacting their respective sectors consistent with existing federal law and policy, including when requested or directed by the president.
12. Provide, support, or facilitate the provision of technical assistance to sectors’ owners and operators to mitigate risk, and collaborate with those owners and operators to identify joint priorities that enhance the security and resilience of the sectors.

So far, critical infrastructure security experts and consultants seem cautiously optimistic about the new move.

Brian Harrell, CSO of energy services company Avangrid and former assistant secretary of infrastructure protection for DHS, tells Security Management that, “Given that critical infrastructure is firmly in the crosshairs of nation-state adversaries, this update was needed to clarify roles and responsibilities for public–private partnership. While only words on paper, this comprehensive update will attempt to help protect U.S. infrastructure against all threats and hazards, current and into the future. While this is helpful, the private sector will always be the lead on protecting the power grid, water systems, manufacturing, and other critical functions—with the government as a partner.”

In an emailed statement, Jim McKenney, practice director of industrials and operational technologies at cybersecurity consultancy NCC Group, said that he is “encouraged by the key elements in the NSM: centralized federal leadership and coordination, binding security standards, prioritizing intel sharing, and holding agencies accountable through national risk management plans. Those pillars make sense.

“But one area I’d want to see developed in practical terms is how we facilitate real-time operational collaboration between the government and private operators during an active incident or crisis,” McKenney continued. “Having clearly defined roles, secure communication channels, and expedited processes for requesting and receiving assistance is critical when every second counts to triage an incident.”

The NSM comes on the heels of additional news from DHS around critical infrastructure security. On 26 April, DHS announced the establishment of an Artificial Intelligence Safety and Security Board, which is meant to advise the DHS secretary, the critical infrastructure community, private sector stakeholders, and the broader public on the safe and secure development and deployment of AI technology in U.S. critical infrastructure. The board includes 22 representatives from a range of sectors, including software and hardware companies, critical infrastructure operators, public officials, civil rights leaders, and academia.

AI can present transformative solutions for U.S. critical infrastructure, and it also carries the risk of making those systems vulnerable in new ways to critical failures, physical attacks, and cyber attacks. Our Department is taking steps to identify and mitigate those threats. https://t.co/QcGIi5NgL5 pic.twitter.com/Ly90MUbg40

— Secretary Alejandro Mayorkas (@SecMayorkas) April 29, 2024

Bruce Harrell, mayor of Seattle, Washington, chair of the Technology and Innovation Committee for the United States Conference of Mayors, and member of the AI Safety and Security Board, said in a DHS statement, “Advancement in artificial intelligence and machine learning technologies offer significant opportunities to transform our society and world. Civic, business, academic, and philanthropic partners have a responsibility to foster this innovation in a way that ensures the development, deployment, and use of these technologies is safe, secure, and ethical.”

On 29 April, CISA released new safety and security guidelines from DHS about risks from artificial intelligence, including attacks using AI, attacks targeting AI systems, and failures in AI design and implementation. CISA instructs operators and critical infrastructure owners to govern, map, measure, and mange their use of AI using the AI risk management framework from the National Institute of Standards and Technology (NIST).

“The guidelines in this document address cross-sector AI risks that impact the safety and security of critical infrastructure systems and their functions. Safety and security are uniquely consequential to critical infrastructure and addressing the associated AI risks is not merely an operational need but a national security and public safety imperative,” the guideline concludes. “Although these guidelines are broad enough to apply to all 16 critical infrastructure sectors, AI risks are highly contextual. Therefore, critical infrastructure owners and operators should consider these guidelines within their own specific, real-world circumstances.”