The US government has issued a series of prescriptions for preparing critical infrastructure operators for disasters, physical attacks, and cyberattacks, with an emphasis on the ability to recover from disruptions in the future.
The initiative, dubbed “Shields Ready,” aims to convince 16 identified critical infrastructure sectors to invest in hardening their systems and services against any disruption, no matter the source. The effort, spearheaded by both the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Emergency Management Agency (FEMA), assumes that attacks and disasters will happen and calls on critical infrastructure operators to prepare to keep services running.
The interconnectedness of the 16 critical infrastructure sectors, and the supply chain on which they rely, means preparedness is critical, said Jen Easterly, director of CISA.
“Our nation’s critical infrastructure entities — from schools to hospitals to water facilities — must have the tools and resources to respond to and recover from disruption,” she said in a statement. “By taking steps today to prepare for incidents, critical infrastructure, communities and individuals can be better prepared to recover from the impact of the threats of tomorrow, and into the future.”
The dangers to critical infrastructure have increased in recent years, with disruptions caused by severe disasters — such as the wildfires in California and the coronavirus pandemic — and cyberattacks. In the past five years, for example, pharmaceutical firm Merck suffered a major outage because of the NotPetya cyberattack in 2017, while this year competitor Pfizer suffered a tornado strike on a major warehouse that caused disruptions to the supply of certain drugs. And famously, in May 2021, US pipeline operator Colonial Pipeline suffered a ransomware attack, shutting down its services for a week, which led to gas shortages throughout the southeast United States.
A previous campaign, known as “Shields Up,” focused on convincing critical infrastructure organizations to take defensive actions in reaction to specific threat intelligence. Shields Ready is all about preparing for the worst across the board, says Michael Hamilton, co-founder and CISO of Critical Insight, a cybersecurity consultancy.
“The hidden message here is, it’s coming, and looking around the world, it’s not that hard to predict,” he says, pointing to regular FBI and CISA warnings to industrial control and critical infrastructure providers. “It’s not hard to put two and two together and say, you know the threat level has gone up for infrastructure disruption.”
Policy Initiatives for Shields Ready
A problem for the initiative is that many of the current recommendations are voluntary and informational. Since November has been designated “Critical Infrastructure Security and Resilience Month,” CISA published a toolkit for critical infrastructure providers, a 15-page document covering specific threats, security challenges, and self-assessment exercises. The agency also published the Infrastructure Resilience Planning Framework (IRPF) and guides on how to develop a resilient supply chain and how to respond to a cyberattack.
Still, the effort lacks regulatory teeth, says Tom Guarente, vice president of government affairs at Armis, an operational technology (OT) security firm.
“What it appears to really be about is building resilience in terms of starting with situational awareness, talking about the importance of sharing information between public and private sector entities,” he says. “They say there’s a toolkit, and but the toolkit appears to be made up mostly of guidelines — you know, PDF documents. So the short answer is, I don’t know what will come out of the Shields Ready campaign.”
Yet coming up with general guidelines under the umbrella of Shields Ready for all 16 critical infrastructure sectors is likely impossible, so it is unsurprising that the initial effort lacks details, says Danielle Jablanski, OT cybersecurity strategist at Nozomi Networks, a provider of cybersecurity for OT networks. Each critical infrastructure sector has a Sector Risk Management Agency — typically the Department of Homeland Security, but in some cases the Department of Energy, Defense, Health and Human Services, or Transportation is the designated SRMA — that will make sector-specific guidelines and requirements.
“I think the government is more in an audit mode today,” she says. “It’s important to remember that critical infrastructure is not monolithic, there’s no one-size-fits-all security plan, program, or set of controls that benefits all 16 sectors the same.”
Encouraging Critical Infrastructure Safety: Carrot or Stick?
Those efforts, for the most part, appear to take a light touch toward getting industry executives on board. Because security continues to be a cost center — the tax of doing business — companies naturally want to minimize those expenditures, which is why punitive action will likely be necessary to get many of the recommendations implemented, says Critical Insight’s Hamilton.
Holding executives liable for their company’s performance during a disaster or a cyberattack — such as the charges against the CISO of SolarWinds — has already been a rude awakening for the industry, he says.
“Having briefed senators, generals, and governors, I’ve found that you can talk about scary Russians, supply chains, buffer overflows, and SQL injection all you want, and you’re just gonna get eye-rolling,” Hamilton says. “But as soon as you say ‘executive negligence,’ you have an audience. That’s exactly what the government is doing — they are going to hold executive leadership as negligent and that’s getting everybody’s attention.”