By Jay Landers

Amid heightened fears of cyberattacks on infrastructure in the United States, in March Congress passed — and President Joe Biden signed into law — legislation mandating that critical infrastructure owners and operators report specified cyber incidents to the federal government. During a subsequent hearing, members of a key congressional committee indicated that they remain particularly concerned about certain infrastructure sectors, including drinking water.

In remarks made Feb. 24, the day that Russia invaded Ukraine, Biden noted the possibility that U.S. interests could be the target of Russian cyberattacks. “If Russia pursues cyberattacks against our companies, our critical infrastructure, we are prepared to respond,” he said, according to the transcript from the White House. “For months, we have been working closely … with the private sector to harden their cyber defenses (and) sharpen our ability to respond to Russian cyberattacks.”

Critical infrastructure sectors

Almost two weeks later, on March 9, the House passed the Consolidated Appropriations Act of 2022 (H.R. 2471), an omnibus bill to fund the federal government through the remainder of the current fiscal year. Included in the massive bill, as Division Y, was legislative language titled the Cyber Incident Reporting for Critical Infrastructure Act. The Senate passed the legislation the following day, and Biden signed it into law (P.L. 117-103) on March 15.

The Cyber Incident Reporting for Critical Infrastructure Act amends the Homeland Security Act to require that certain “covered entities” operating in a “critical infrastructure sector” must report particular cyber incidents that they have experienced to the Cybersecurity and Infrastructure Security Agency within the U.S. Department of Homeland Security, according to the legislation.

Exactly what constitutes a covered entity remains to be determined by CISA. The notice and proceeding for the rule to define a covered entity must be issued within two years of the enactment of the new law, and the final rule must be released within 18 months of its initial proposal.

However, the current law does give some indication of the types of entities to be covered. Specifically, the law notes that covered entities are to be drawn from the critical infrastructure sectors that were identified in a document issued by President Barack Obama’s administration in 2013, Presidential Policy Directive 21.

The directive lists the following 16 critical infrastructure sectors: chemical; commercial facilities; communications; critical manufacturing; dams; defense industrial base; emergency services; energy; financial services; food and agriculture; government facilities; health care and public health; information technology; nuclear reactors, materials, and waste; transportation systems; and water and wastewater systems.

Further, the current law also directs CISA to determine covered entities based on three factors:

  • “The consequences that disruption to or compromise of such an entity could cause to national security, economic security, or public health and safety.”
  • “The likelihood that such an entity may be targeted by a malicious cyber actor.”
  • “The extent to which damage, disruption, or unauthorized access to such an entity … will likely enable the disruption of the reliable operation of critical infrastructure.”

Reporting requirements

The exact nature of the types of cyber incidents that are to be reported also will be determined by CISA as part of its future rule-making. However, the law specifies that covered entities experiencing incidents must report them to CISA within 72 hours.

Any ransom payments made in response to ransomware attacks must be reported within 24 hours, in contrast. (Such attacks involve the use of malware designed to encrypt files on devices, preventing the device owners from accessing the files and the systems they contain. The attackers then demand a ransom to decrypt the files.)

Entities submitting incident reports will be required to “preserve data relevant to the covered cyber incident or ransom payment in accordance with procedures” that are to be established by CISA, according to the legislation.

In the event that a covered entity fails to report an incident, CISA — if it discovers the omission — will request that the entity provide the necessary information. If a covered entity fails to do so, CISA can issue a subpoena to compel the disclosure of the information.

Information reported to CISA may be shared with other federal agencies, but it may not be used for regulatory purposes by any level of government. The information is only to be used for cybersecurity purposes. The law also includes liability protections for entities submitting reports in accordance with its requirements.

Using the reported information

Upon receiving reports of cyber incidents, CISA is to aggregate and analyze them “to assess the effectiveness of security controls” and identify how adversaries overcome those controls, according to the law. The agency also is to “assess potential impact of cyber incidents on public health and safety and to enhance situational awareness of cyber threats across critical infrastructure sectors,” the law states. The reports also are to be shared with other federal departments and agencies to identify and track ransom payments.

More broadly, the reported information is to be used by CISA to “enhance the quality and effectiveness of information sharing and coordination efforts with” other federal, state, and local governments as well as critical infrastructure owners and operators, technology providers, cybersecurity firms, and security researchers, according to the law.

CISA also is to review the details of significant cyber incidents “to prevent or mitigate similar incidents in the future,” the law states. On a quarterly basis, the agency is to publish “unclassified, public reports that describe aggregated, anonymized observations, findings, and recommendations based on covered cyber incident reports.”

‘Step in the right direction’

During an April 5 hearing of the House Committee on Homeland Security, Rep. John Katko, R-N.Y., the ranking member of the committee, highlighted the recent passage of the Cyber Incident Reporting for Critical Infrastructure Act.

“This is one of the most important pieces of cybersecurity legislation in the past decade,” Katko said. The reporting of cyber incidents to CISA will mean “earlier disruption of malicious cyber campaigns and better information and threat intelligence going back out to the private sector so it can defend against future attacks,” Katko said.

ASCE agrees with such an assessment, says Caroline Sevier, the director of government relations for the Society. “The Cyber Incident Reporting for Critical Infrastructure Act is a step in the right direction to protect the nation’s infrastructure systems from future disruptions and preserve public safety,” Sevier says.

“America’s infrastructure is becoming more digitized and entwined with advanced software that can better assess structural conditions in real time and manage important projects,” she notes. “As this trend progresses, cybersecurity risks are becoming increasingly prevalent and threaten our critical infrastructure networks, which Americans rely upon each and every day. ASCE is aware of these risks and is actively engaged in efforts to deploy systems and technologies that can detect malicious activity and facilitate appropriate response actions.”

In fact, on March 5, the society’s Board of Direction adopted ASCE Policy Statement 565, titled “Cybersecurity and infrastructure security,” provisions of which are in accord with the new law. “As more infrastructure owners, both public and private, are targeted by threats to cyber and physical systems, improving cyber and physical security for our nation’s critical infrastructure must be a national, state, and local priority,” the policy statement reads.

The policy statement lists nine actions that infrastructure owners should take “to avoid disruption and preserve public safety.” Among the actions is to “encourage the prompt reporting to appropriate authorities and impacted public.”

Protecting water infrastructure

During the April 5 hearing, Katko asked one of the witnesses — Amit Yoran, the chair and CEO of Tenable Inc., a provider of vulnerability management capabilities — about the current state of cybersecurity defenses within the water and wastewater sector.

Compared with such other sectors as financial services and information technology, the water and wastewater sectors are less prepared, Yoran said. In recent years, water and wastewater agencies have been “interconnecting their operational technologies with their IT technologies,” he said. “And so the pace of risk that these sectors are facing has really increased over recent years. So I think a lot of work remains to be done in some of these sectors.”

Testifying before the committee, Kevin Morley, Ph.D., the manager of federal relations for the American Water Works Association, called for a “new approach” to addressing cybersecurity challenges among water and wastewater agencies.

While recognizing the technical and financial challenges facing the sector, the approach “would set minimum cybersecurity standards for all types of water systems, an effort that will provide a tiered risk-based and performance-based set of requirements modeled on a similar approach applied in the electric sector,” Morley said.

In his written testimony to the committee, Morley noted that the North American Electric Reliability Corp. performs such an approach for the electric sector. “An entity similar to NERC would be created in the water sector to lead the development of the requirements using subject matter experts from the field,” according to Morley’s written testimony. “It would also perform periodic third-party conformity assessments. Federal oversight and approval of requirements would be provided by the (U.S. Environmental Protection Agency), given existing statutory authority for water and wastewater utility operations.”