How US “Critical Infrastructure” Regulations Impact Security
US government policies safeguard a vast array of infrastructure, from communications networks to chemical plants, considered critical to the well-being of US citizens and the economy. But what exactly is considered critical infrastructure? What are the security standards for these sites? And how do they impact end users now and in the future?
In this report, we examine what critical infrastructure is, the expectations of those who qualify, how critical infrastructure protection has and will impact physical security companies, the role of various US government agencies, and more.
This is a companion report to our report on CISA, which is the central US authority on critical infrastructure protection. See: The Growing Power Of The US Cybersecurity and Infrastructure Security Agency (CISA)
Executive *******
******** ************** ********** (***) ********* *** impose ********** ***** *** ******** ******** requirements ** ************** ********* **** ****** downstream *********** *** ******** ******** *********. Physical ******** ********* **** ** ***** of *** ********* *** *** **** might ****** ** *** ******, *** only ** ***** ***** ********* *** also ** ****** ***** ****** ****** and ************ *** ********* ** *** measures.
***** ** ** ***-****-****-*** ****** ** the **** ********* **** *** ******. It ** *** ****** ******* **** is *** ** *** ******** **************. Different ******** ****** ********* ************ *** different **********; *** ****, **** *** mandatory, ***** *** ******, **** *** voluntary.
*** ** ****** ** ****** **** coherent *** ****** ** ***** **** businesses **** ********** ******* ** ******** infrastructure, *** **** **** ******* ** a ****** ****** **** *** ******** could *** ****** **** **** ** the ****** *****. *** ***, *** measures ********* **** ****** ******** *******, like *** **** *** ********* ******* end-users ** ********* ********* *** ****** sector *********.
Impact ** *** ** ******** ********
******* ******** ************** ********** (***) ******** can **** * *********** ****** ** physical ******** ******* *** ******** ******* as ******** **************. ******** ******** ********* face ********** ********** *********** *** *****, physical, *** ****** ***** ******** *********, key ******-*** ************** ** ********** ******** assets ****, **** **** *** ******* they ********, *** ******* ** ***** change.
* ******-***** ******* ***** **** **** ******* *** ***, * ******** ************** **** ********* measure ******* ** ******* ******* ******** against ********* ** ******* *********** **** certain *************, ********* ***** *** *********. Since *** ******* ********** ** *** US ******** ********'* ******* *****, *** ban ******* ***** ******* ** ******** supply ******, **** ********* ****** **** federal *****. ******* ***** *** ********* were ***** *** **** ****** **** products ** ****, ********* *********** *** ***** ************ ** ********.
***** **** ******** ******** **** *** NDAA ***, ******* ******** ************** ******* may **** ****-*******, ********* ********* **** vendors **** ** **** ** ****.
*** ********, *** ****** ****** ********** **** *,*** ***** ** **************** ** ******** ******** ******** *********** ***********(****). ***** ******* ********* ***** *********, like ********** ******** **********, *** ******** security *********, **** "********[***] ******** ****** to *******" *** ***-****** ****** ******* systems (*.*. ************ ****** + ********* authentication).
******** *** **** *** ******* ****** to ******* *** ***** ****** **** sellers, *** ****** ** *** ****** was ********; *** *** ****** ******, only * ******* ****** ** ********* can ********* ******* **** **** ********* NERC *********. ***** ********* *** *********** impact **** *** ********* *** **** on ******** ******** *********.
**** ** *** ** ** ********* that ******** ******** ********* ***** ************ in *** ** **********'* *** ******** which, ** ** ******* ******* **, could ****** ********* ********* ****** * much ******* ***** ** **********.
What ** ******** **************?
** ********** *********** **** *** *****, so *********** **** *** ********** ********* critical ************** ** *** ****** ***************. Typically, ******* ******** **** *** ********** established ************ ****(*) ** *** *** ******* Act ** ****:
*** **** "******** **************" ***** ******* *** ******, ******* physical ** *******, ** ***** ** the ****** ****** **** *** ********** or *********** ** **** ******* *** assets ***** **** * ************ ****** on ********, ******** ******** ********, ******** public ****** ** ******, ** *** combination ** ***** *******.
**** ******** * ******* ********. *** businesses **** *****, *******, *** ******** electrical ***** ** ************** ******** *** obviously ******** ************** ***** **** ********. But **** ******, ***** ** ** clear-cut ******. **** * *********** **** feeds *.*% ** ********* **** *** qualify? ** **,**** ********'* ********** **************.
*** ********** ********* *** **** *******:
*) *** ******** ************** ********** ****:
** ****, ********* ************ *** ******** ************** ********** **** (NIPP), ***** ********** ** ******* ** "vital ** *** ****** ******":
*** ** ******* ********** ** ***-** as ***** ** *** ****** ******, namely: ********; ********** **********; **************; ******** manufacturing; ****; *** ******* ********** ****; emergency ********; ******; ********* ********; **** and ***********; ********** **********; ********** *** public ******; *********** **********; ******* ********, materials, *** *****; ************** *******; *** water *** ********** *******.
*******, **** ********* * ********* ****** to ******* ****** ** **** ******. The ******** ********** ** *********** *** "financial ********", *** ************* ********** ****** is *********** *** "***** *** ********** systems," *** ** **.
**** **** *** ******* *** ******** companies ** ********** **** ***** ******** infrastructure: **** *****, ***** **** ********** clearly ******* - **** **&* ** Lockheed ****** - ** *** ** unclear **** ********* ************* **************.
*) **** ******** ******** *********
*** ** ************* *** ************** ******** Agency (****) ******* * ********* ******** to ************* ******** **************, ******* ** into** ********* ******** ******** **************** ** *******. *** ********, ** is ******** ** "******* *********** ********** Products *** ********", "********** ***********," *** "Provide ******** ********** *** ********** ***** Support ********."
******:************* *** ************** ******** ******
****'* ***** ** ******** ********* *** be ****** ** * ***** ** how **** *** ***** ********** ******** direct *********, *** *****, ** ***** for **********. *** ********, *** * function **** "******* ******** ********** *** Associated ***** ******* ********," **** **** include********* ****** ********* ** ************ ********* **** *****?
** * ********* ******, ********* ** what ********* ** ******** ************** *** minimal ********** *** ******* *** *****; businesses ** ***** *******, **** ******, are ******* ***** **** *********** ***** to ****.
*** ********** ** **** ** ************* that *** ** ********** *** **** a **** ***** ********** *** **** it ***** ******** ******** **************, *** new ***** ** *** ****** ***** apply ** ****** ******** ***** **** umbrella ** *** ***** ** ******* urgency. *** **** **** ** ** ambiguous ** *****, *** ********, ********* as ******** ************** ** ** **** a **** ** ********* ****** ********** as ** ** * ******** **** current **********.
The **** ** ****
******** ******** ** ****, **** *** **** *** ******* authority ** ******** ************** **********. *******, it **** *** ******** ****** *** standards.
**** *********** ** ******** ******; ** ******** ******** *** ******* with ******** ********, *** ** **** not ******* ***** ** ******** ******** standards, ** ******* ********* *****, ****** for ***** ******* ********.
**** ******** *** **** ** **** and *** ******* ****** ********* ******* critical ************** ******** ** ***** ** a ******** ******. ***:*** ******* ***** ** *** ** Cybersecurity *** ************** ******** ****** (****)
Is ******** ******** ******** **************?
***** ******** ******** ** *** ******** defined ** ******** **************, *** ******** in ***** ******* ***** ****** ******** security ********* ** ***** *********.
*** ******** ******** ******** ***** * key **** ** ********** ******** **************, which ****** ** ************, ****** *******, and ***** ******** ************. **** ******** security ********* **** *********** **** ***** NIPP's "*********** **********" ****** ** ****'* "provide *********** ********** ******** *** ********" function.
**** ** *** ******** ** ***** of ********** ********* ** ******** ************** that **** ******** *** **** ****** specify ******** ******** ** * ******** sector ** ********, ******** **** ********* the ********** ** ******** ******** ** critical **************.
Cyber/Physical ******** ********* ****** ********* ** **** *******
*** ***** ******** *** ** **** ban ** **** **** ***** ** must ******. ******** *** ************ ****** critical *******, ** **** ** *** different ******* ******** ******** ** **** has ********* ****** *** *******. *** many *******, ******* ***** "********," *** standards *** ****** *********. ** * result, *** ****** ** ***** *** affects ******** ******** ********* *** **** not **** **** ****** ** ******, but ******* ** *******, ********* ** how ********* *** ******* ***** *** obligations.
** *** ************* *** ************** ******** Agency (****) ******** ** ******** *** ******** ************** ******** *** Resilience, ********* **** *** ***** **** on "******* *** ****** ** ****** chooses ** ***** ** ****** *******...":
*** ******** ** ******* ** ********* to ****** *** ********** ******* *** how **** ******* ********** ** ********** applicable ** ***** *** ******** ******** standards.
****, *** *******, ****'********* ******** ****-********* *********(*****) *** ***** ******** **** **********. While ******* *********** ***** *** *** safe ******** ** *********, **** **** that *** "*** *,*** **********...**** ****** [legally] ******* *** ************** ** ***** and ******** ******** ********."
****** **** ***** **** ***** ******, CISA ****, "****** ****: **** ****** ensure **** ******** ********** *** ********** the ********* ************ ** ******** ********."
** ** ****, ****** ******** ********* exist ** *********. *** ******** ********* for ********* *** **********'* (****) ************* Framework ******** ************* ******** *** ******** infrastructure. **** ******* **-**** ********* ********** *** *********'* ********,* **-**** ******* * ** *-**** ******** ********* to ********** ********* ********** ******** (*.*. enforcing *** ** ** ************), *** profiles *** ******** ************ *****, **** as**** **-**** ***** *** *************. ** **** ****** ******** ******** albeit ** * ****** ****** **** cyber:
******:**** ************* *********
******** *********** *********** *** ************ ** CIP ***** *** ******* *******, ******* as * ** ***** **** ** CIP. *** ********, ***** *** ******* to *******-******* ************* ********* ******** *****-*****-****** ****** ******** **** **** ******** ******** standards ** **** ****** **** *** valuable *****.
*******, ** *** *** ****,*** ********* ******** ****** ************ ******* for ******** ************** ************** "********" ********* ** ****'* ************* framework *** ******** ******** ********* *** does *** ******* ****.
Future ********* ***** *** ******** ******** *********
*** *** ********, ********* ********* ********* for * ******* ***** ** **********, are ****** ** ** ********** ** Congress ***/** ******* *********** ** *** coming *****, ***** ***'* ******* ************ and ** ************ ********* ************* *******.
*** ************ *** ********* ******** ** CIP ***** *** ******** ******** *** reduce *** ************ ** ******* *** is * ****** *** *********** *********** leading ** ********** ******* ** ******** infrastructure. ************* *** ******** ** ******** the *********, ********* ********* **** ******** left ** ***** *** *******, *** as ****** ********* **** *****, ******** lapses ** ******** ************* * ******** ******** ******.
**** ******* ** ******* ** ********** officials, *** ** ******** ** *** should ** ******** ** *** ****** years. ******* ***** ** ******** *********** to **** ******, *********** **** ********** *** ** ****, *** *** ***** ************** ***** on *** **** *** ********* *********** * **** ********* ***** ** CIP:
*********,federal ************* ********** ** *** ****** ****** ** ********. We **** * ********* ** ******-******** ******** **** **** **** ******* *********, as data security threats in particular sectors have gained public attention. Given the evolving threat we face today, we **** ******** *** **********, **** ********* *** *********. We look to responsible critical infrastructure owners and operators to follow ********* ******** ** **** ** ********* ************ in order to ensure that the critical services the American people rely on are protected from cyber threats. [emphasis added]
**** **** ******* ***** ********* ** detail, *** **** ****** *** ******** could *** ****** ****, **** ** a ****** ******. *** ****** *** physical ******** ********* ** **** *** mandatory ******** ********* ********* * ******* range ** ********** **** ********** ** them *** ******** *** ***** *** complexity ** ***** ********.
Impact ** ***** ********* ** ***********
***** ********* *** ** *** ***** to ** ******** ** ********** *** standards, ***** *** **** ***** ********** with**** ****** ******** *****, ******** ************ ********* **** ***** as ****.
* **** ** ***** ********* ***** a **** *********** ** *********** ******** impacts ***** **** ********* ******* *** control ******* *** *** ***** *** users ****** *** *********** ***** ** integrators ******* ** ********** ******* *** each ****. ** ***** *****, ** attack ** * ****** ******* *** be ** ****** ** **** ** thousands ** ******.
*** ********, ******* ******** ************, ****** control, ******* *** ******************** **,*** *********. ********** ******* ***** ******* ****, lock ** ****** *******, ** ********** other *******. ** ****, ********** ****** ** ***** ****, *** ******* ******** ************ ** organizations ********* **********, *****, *** *********, all ** ***** *** ******** **************.
*******, ****'* ************* ********* *********, **** 2-step ************ *** ******* ********** ***** access, ***** **** ********* *** ****** since ******* **** ****** ***** ***** credentials, ***** **** ****** ********* ** employees.
**** ** *** ** ******* **** increasing *** ********* ***'* ****** ***** businesses. ** ****, ***** ********* **** scale ********** **** ******* ******** ******** companies, **** ***********, ** ***. ******* they ********* ******* ******* *** **** customers, ** ** ****** *** ***** to ********* ************* ********* *** *** of ****. ** ********, *********** *** need ** ***** ** ****** ******* with ************ **** ********* ** * client-by-client *****. ***********, ******** ************** ***** are **** ****** ** ******** **** traditional, **-******** ******* **** *** *** VSaaS.