The Challenge of Regulatory Compliance for Critical Infrastructure

Healthcare has HIPAA. Credit cards and electronic payments have PCI DSS. Consumers have GDPR and CCPA. There is an alphabet soup of regulatory compliance requirements that many industries must follow to offer layers of cybersecurity protection to those businesses and customers.

However, some of the biggest and best-known cybersecurity incidents of 2020-2021 were attacks against critical infrastructure such as the Colonial Pipeline and SolarWinds. There are no overarching regulatory compliance laws for critical infrastructure—yet.

One Infrastructure Out of Many Industries

What we refer to as critical infrastructure is made up of sixteen sectors, according to the Cybersecurity and Infrastructure Security Agency (CISA). They include chemical, communication, emergency services, energy, healthcare, food and agriculture and information technology. These are, of course, the sectors that keep the country up and running.

Individually, the sectors have to follow regulatory compliance laws as industry standards. And there are existing regulations around critical infrastructure protection, some of which were the catalyst for the creation of the NIST Cybersecurity Framework (CSF), which is very prominent in all industries and sectors, said Michael Isbitski, technical evangelist at Salt Security.

“It can be argued that the CSF is not prescriptive enough, but the complexity and uniqueness of each type of critical infrastructure makes drafting any universal, comprehensive security guidance a herculean task,” said Isbitski in an email interview.

The interconnectedness of critical infrastructure and its digital supply chain is what makes developing a single compliance law so problematic.

“Documenting all the potential design, development and deployment patterns at a deep technical level is virtually impossible,” said Isbitski. “We see the same pitfalls within security threat modeling practices. Most organizations abandon this traditional security best practice when faced with scaling and operationalizing their technology stacks and supporting infrastructure.”

Looking for a Security Solution

CISA provides security guidance for each designated sector and, in some cases, there are already existing standards within some sectors, such as the Department of Defense (DoD) Cybersecurity Security Model.

“In some cases,” said Tim Wade, technical director, CTO team at Vectra, in an email interview, “It will be appropriate for this to move beyond simply guidance and into mandated, auditable standards.”

That’s what Congress is setting out to do. A bipartisan group of senators are developing legislation that would require the sixteen critical infrastructure sectors to report significant cybersecurity incidents to CISA with potential penalties for non-compliance.

At a hearing of the U.S. Senate Committee on Homeland Security and Governmental Affairs, Sen. Gary Peters, D-Mich, one of the architects of the legislation, said, “This information is especially vital when it comes to our nation’s critical infrastructure, 85% of which is privately owned and operated. Despite this vulnerability, there is no national requirement for all critical infrastructure owners and operators to report to the federal government when they have been hit with a significant attack, and that needs to change.”

Peters hit on one of the concerns surrounding regulatory compliance and critical infrastructure: Not only are the individual sectors disparate, but the majority of them are also privately owned. That status has made other legislation surrounding cybersecurity and data privacy difficult to pass on a federal level.

But we’ve already begun to see how a single attack against one company within the critical infrastructure sector can impact, well, everything. The Colonial Pipeline incident disrupted the delivery of oil products, which drove shortages at gas stations and delays in the supply chain. And that wasn’t even an incident that directly hit the manufacturing, supply or delivery sectors!

“The effective and continued operation of critical infrastructure is, by definition, in the public interest—when that operation is disrupted, the public should have timely notification of the event and ongoing impact,” said Wade. “Unambiguously making this a uniform requirement across all critical infrastructure must occur.”

Avatar photo

Sue Poremba

Sue Poremba is freelance writer based in central Pennsylvania. She's been writing about cybersecurity and technology trends since 2008.

sue-poremba has 271 posts and counting.See all posts by sue-poremba