The Cybersecurity and Infrastructure Security Agency (CISA) has issued a new report outlining baseline cybersecurity performance goals (CPGs) for all critical infrastructure sectors.
The document is the result of a July 2021 security memorandum signed by President Biden. It has tasked CISA and the National Institute of Standards and Technology (NIST) with creating fundamental cybersecurity practices for critical infrastructure, mainly to help small- and medium-sized enterprises (SMEs) improve their cybersecurity efforts.
“The CPGs are a prioritized subset of IT and operational technology (OT) cybersecurity practices that critical infrastructure owners and operators can implement to meaningfully reduce the likelihood and impact of known risks and adversary techniques,” CISA wrote.
The goals have been established based on existing cybersecurity frameworks and guidance. They also rely on real-world threats and adversary tactics, techniques and procedures (TTPs) observed by CISA and its partners.
“By implementing these goals, owners and operators will not only reduce risks to critical infrastructure operations but also to the American people,” the report reads.
CISA also added that it plans to update these goals every six to 12 months.
“As technologies evolve, the risks, TTPs and scope will naturally change. This, coupled with the evolution of Industrial Revolution 4.0, will morph the recommendations and outcomes as appropriate,” Edward Liebig, global director of cyber-ecosystem at Hexagon, told Infosecurity.
At the same time, the executive added that CISA’s plans to draft sector-specific goals with regulatory agencies may become challenging to maintain over time without close involvement with industry vertical operators.
“There should be a concerted effort to establish and encourage participation in industry-specific Information Sharing and Analysis Centers (ISAC), such as the Electricity Information Sharing and Analysis Center (E-ISAC), as collaboration among vendors will go further in solving the problems within OT security,” Liebig concluded.
The CISA report comes months after Cyble researchers discovered more than 8000 exposed Virtual Network Computing (VNC) instances that could lead to remote compromise attacks against critical infrastructure organizations.