The Cybersecurity and Infrastructure Security Agency’s newly released strategy to invest in technology to protect industrial control systems from cyberattacks relies on private-sector entities sharing information about risks they face with the government but doesn’t include liability protections companies are asking for in exchange.
Industrial control systems are used to automate processes in sectors such as electricity, water, transportation and manufacturing. If hackers successfully infiltrate them it could lead to devastating physical consequences, so they are attractive targets.
CISA’s five-year plan to protect these systems is to work with their private-sector owners and operators to identify the threats they’re encountering and assess where they’re vulnerable, so the government can ultimately prioritize investments to improve their defenses.
The strategy doesn’t note where the government’s share of the investments would come from. A bill approved by a House Appropriations Committee Tuesday would provide $2.25 billion in funding for CISA in 2021.
“CISA and the ICS community must know the impact our actions have on the national ICS risk landscape, particularly with respect to [National Critical Functions],” the CISA plan reads. “With this knowledge, together we will work as a single, unified organization that achieves sustainable and enduring ICS security and drives wise, risk-informed ICS security investments.”
But companies have long been reluctant to share information about their defenses for fear they’ll be held responsible for any resulting harm.
A 2015 law on sharing information for cybersecurity provides protections from liability related to antitrust issues. A public-private CISA task force last year proposed further “resolving legal constraints” to information sharing.
CISA’s strategy is one part of a more comprehensive vision for protecting critical infrastructure, which is outlined by the Cyberspace Solarium Commission, and takes such concerns into account.
“I think the tension is that people don’t want to share because there’s a possibility that in sharing they may expose themselves, there may be problems,” Brandon Valeriano, a senior advisor to the commission told Nextgov during a webcast Tuesday. “That’s really a key issue, is we need to get people to be more open about what the problems are in this [private] sector.
source: NextGov
