With recent cyberattacks on critical infrastructure sounding a long-needed wakeup call, it's no surprise that regulatory authorities in the US and around the world are reacting with new proposals.  

Last year the Transportation Security Administration (TSA), for example, used its emergency authority to call critical pipeline companies into action with two pipeline security directives.  

As we noted soon after, recent cyber attacks “send a resounding message for government agencies to get more aggressive on cybersecurity—and should sound like an airhorn to companies with ground to make up . . . now is the time to take action.”  

We also predicted that “this is just the beginning.”

Since then, the TSA added a second security directive and expanded its regulatory requirements to include air and rail; the Federal Trade Commission, Federal Communications Commission and Securities and Exchange Commission are now seeking feedback on proposals to require cyber incident reporting and other cyber risk disclosures; the administration’s 100-day cyber sprints expanded to the water sector; the Cybersecurity Infrastructure Security Agency (CISA) and National Institute of Standards and Technology issued preliminary cybersecurity goals for Industrial Control Systems; and Congress just recently passed landmark legislation requiring critical infrastructure owners and operators to share cyber incident and ransom payment information with the government.

The environment is changing globally as well

The NIS2 Directive in the EU, for example, aims to strengthen the security of supply chains, streamline reporting obligations and instill stricter enforcement requirements.

The EU has also proposed a regulation on Digital Operational Resilience (DORA), intended to ensure that the financial system is protected by a common set of standards to mitigate Information and Communications Technology risks.

In addition, CISA—understanding that the safety and security of critical infrastructure requires the concerted efforts of public and private partners around the world—is reaching out to enhance and promote cross-border and global critical infrastructure security and resilience through information sharing.

As an advisor to hundreds of companies deemed critical infrastructure across nearly every sector, we know that governments and regulators face the constant challenge of ensuring their critical infrastructure is more and more cyber resilient. We also know that organizations have differing opinions on how agencies are doing.

Hard truth #1: These regs will improve cyber resiliency

We are helping to secure hundreds of thousands of miles of pipe and trillions of cubic feet of gas and work every day to implement security controls across dozens of plants. Given that, we have spent considerable time reviewing the controls in the TSA’s Security Directive 02 (SD02) and other proposals.

We believe that the controls included in SD02 and most other proposals are fundamentally sound but also require careful considerations when implementing. In fact, we've been helping many of our clients preemptively deliver on some of the controls or at least plan to do so. It's good that the various proposals are accelerating many of these programs to combat all attacks, including ransomware. Data protection, patch management, cloud security, zero trust, allow listing, MFA, identity management—all will be vital tools in cyber defense, and agencies recognize this.

Truth #2: The evolving regulations aren't perfect

Developing best practices and controls to improve cyber resiliency should and will be an ongoing, collaborative process between industry and the government. For our part, we have previously shared our experiences with regulatory bodies to help inform their work. Our analysis of each SD02 control, for example, showed several possible concerns and areas for refinement. A few include:

  • More specificity around prioritizing which systems need patching.
  • Consideration around whether complying with OT OS patching requirements could risk voiding warranties or introducing risk of failure into the products. 
  • More thought around how global supply chain realities could impact the ability to replace equipment to meet the segmentation requirements.
  • Taking a close look at whether there are sufficient federal and third-party resources for organizations to comply with the Validated Architecture Design Review (VADR) requirements within the timeframes required, with more consideration around what is in scope for the assessments, particularly for organizations that have hundreds if not thousands of assets.

In the world of cybersecurity, we can do more

At the risk of adding even more to the government’s enormously full plate, there are additional key security risks that are not addressed by SD02 that, if addressed, we think could go a long way toward improving resiliency. Two include focusing on asset management (if you can’t see what you have, you can’t protect it); and developing and sharing standard architectures for anomaly detection.

It will be critical to work together

Globally we need to work together to address the rapidly evolving cybersecurity challenges. So, let’s come up with solutions to conquer these challenges and collaborate in a constructive way as opposed to just saying what we think is wrong with the requirements and offer solutions.

None of these new requirements around the world will be easy to accommodate and many are unscheduled and unbudgeted initiatives. But now is the time to do our best to embrace them, collaborating with regulators during the rulemaking process to help them have wider optics with industry feedback. The result of this collaboration and diligence will be improved cybersecurity.

 

About Accenture
Accenture is a global professional services company with leading capabilities in digital, cloud and security. Combining unmatched experience and specialized skills across more than 40 industries, we offer Strategy and Consulting, Interactive, Technology and Operations services — all powered by the world’s largest network of Advanced Technology and Intelligent Operations centers. Our 674,000 people deliver on the promise of technology and human ingenuity every day, serving clients in more than 120 countries. We embrace the power of change to create value and shared success for our clients, people, shareholders, partners and communities. Visit us at www.accenture.com.

Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter, LinkedIn or visit us at accenture.com/security.

This document is produced by consultants at Accenture as general guidance. It is not intended to provide specific advice on your circumstances. If you require advice or further details on any matters referred to, please contact your Accenture representative.

Copyright © 2022 Accenture. All rights reserved.

Jim Guinn

Senior Managing Director – Security, Strategy & Consulting Lead, Accenture

Subscription Center
Subscribe to Security Blog Subscribe to Security Blog