chevron-down Created with Sketch Beta.

    ARTICLE

    Infrastructure Security Fall 2022 Report

    Kevin Will Jones

    Oct 17, 2022

    8 min read

    Corporate Governance Cybersecurity Federal Agencies Labor & Employment Regulation Specialized Practice Areas State Regulatory Telecommunications

    Summary

    • The Cyber Incident Reporting for Critical Infrastructure Act requires certain critical infrastructure owners and operators to report a covered cybersecurity incident to the Cybersecurity and Infrastructure Security Agency within 72 hours and a ransomware payment within 24 hours.
    • On September 22, 2022, the Federal Energy Regulatory Commission issued a proposal pursuant to the Investment and Jobs Act of 2021 to establish incentive-based rate treatments for voluntary cybersecurity investments.
    • A summary of the Consolidated Appropriations Act 2022 is attached as Appendix A.
    Infrastructure Security Fall 2022 Report
    halbergman via Getty Images

    Department of Homeland Security: Cybersecurity and Infrastructure Security Agency

    Joint Cyber Defense Collaborative

    Established in August 2021, the Joint Cyber Defense Collaborative (JCDC) implements provisions in the FY’ 21 NDAA to bring together federal, state, and local governments together with the private sector to form a unified cyber defense. JCDC’s key missions are to coordinate operational planning and execution, act as a collaborative public-private cybersecurity information fusion and analysis center, and produce and disseminate cyber defense guidance across stakeholders.

    Cybersecurity Incident Reporting for Critical Infrastructure Act

    On March 15, 2022, the President signed the FY’ 22 omnibus spending bill, which included the Cyber Incident Reporting for Critical Infrastructure Act (“CIRCIA”). CIRCIA requires certain critical infrastructure owners and operators to report a covered cybersecurity incident to CISA within 72 hours and a ransomware payment within 24 hours. CISA is directed to, in turn, provide reports to appropriate federal agencies within 24 hours. CISA is directed to propose a rulemaking within 24 months (to be finalized 18 months later) defining important specifics such as: who are covered entities, what cybersecurity incidents need to be reported, and what needs to be included in those reports.

    Despite tension between the FBI and DHS during Congressional drafting of CIRCIA, Bryan Vorndran, head of FBI’s Cyber Division, made statements to the press that the FBI has been working with CISA in developing rules under the law.

    Also, in April 2022, CISA issued guidance to stakeholders on sharing cyber event information with CISA. According to that guidance, CISA wants critical infrastructure to report the following types of activities: (1) Unauthorized system access; (2) Denial of service attacks lasting more than 12 hours; (3) Malicious code found on systems, including any variants, if known; (4) Targeted and repeated scans against services on systems; (5) Email or mobile messages associated with phishing attempts or successes; and (6) Ransomware against critical infrastructure, including variant and ransom details if known.

    The guidance also describes 10 key elements that CISA recommends should be shared: (1) Incident date and time; (2) Incident location; (3) Type of observed activity; (4) Detailed narrative of the event; (5) Number of people or systems affected; (6) Company/Organization name; (7) Point of Contact details; (8) Severity of event; (9) Critical Infrastructure Sector if known; and (10) Anyone else informed.

    The guidance provides insight into how CISA will implement CIRCIA. While CISA has two years to propose an implementation rule for the law, stakeholders believe it could begin the rulemaking process sooner.

    CISA has announced the release a Request for Information (RFI) regarding CIRCIA. The RFI solicits stakeholder feedback on a number of important CIRCIA implementation items, including what entities would be covered and what should be included in reports. The RFI was published in the Federal Register on September 12, 2022. Responses are due 60 days after. CISA indicates it will also be hosting listening sessions across the country to collect information.

    Performance Goals

    On July 28, 2021, President Biden issued a National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control System. In addition to outlining an Industrial Control Systems Cybersecurity Initiative within the energy sector, the memo directed DHS to issue performance goals pursuant to E.O. 13636 (Improving Critical Infrastructure Cybersecurity), which President Obama issued in 2013 after Congress failed to pass legislation giving DHS authority to regulate cybersecurity.

    By way of background, Sec. 7 of E.O. 13636 directed NIST to engage in a stakeholder process to create a framework for cybersecurity. Sec. 7 also directed DHS to develop performance goals for that framework informed by work on “Critical Infrastructure at Greatest Risk” (also called “Section 9 entities”). Those performance goals, though discussed by DHS in stakeholder meetings, never fully coalesced. This may have been due to pressure on the Obama Administration to not use E.O. 13636 to circumvent Congress on cybersecurity by creating de facto cybersecurity requirements.

    The memo directs DHS to take up the effort again through issuing preliminary performance goals. The performance goals must be voluntary as there is no supporting statutory authority for general critical infrastructure cybersecurity regulation. However, the memo directs DHS to examine “whether additional legal authorities would be beneficial to enhancing the cybersecurity of critical infrastructure.”

    Preliminary cybersecurity performance goals, which CISA calls the “Common Baseline” were released on September 22, 2021, with the most recent version released in June 2022. Final performance goals were due by July 28, 2022.

    Eric Goldstein, CISA’s Executive Assistant Director for Cybersecurity, testified to Congress on September 15, 2022 that the final performance goals will be released in October 2022 to coincide with Cybersecurity Awareness Month.

    In September 2022, CISA released its Strategic Plan 2023-2025, which states, “Where appropriate within CISA authorities, we will set standards and recommendations to guide security decisions, much like our efforts to establish performance goals and increase the cross-sector cybersecurity baseline.” The plan sets as a “representative outcome” that “stakeholders adopt CISA’s critical infrastructure security guidance, standards, performance benchmarks and risk management expertise.”

    Securities and Exchange Commission

    Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure

    On March 9, 2022, the Securities and Exchange Commission (SEC) proposed new cybersecurity disclosure rules for public companies by a vote of 3-1. Under the proposal, public companies would be required to disclose information under an amendment to the Form 8-K about a cybersecurity incident within four business days after the company determines that it has experienced a material cybersecurity incident. That disclosure would have to report:

    • When the incident was discovered and whether it is ongoing;
    • A brief description of the nature and scope of the incident;
    • Whether any data was stolen, altered, accessed, or used for any other unauthorized purpose;
    • The effect of the incident on operations; and
    • Whether the company has remediated or is currently remediating the incident.

    The proposal would require public companies to provide updates on the incident in its quarterly report on Form 10-Q or annual report on form 10-K. The proposal would also require public companies to disclose non-material cybersecurity incidents when they become material in the aggregate. Finally, the proposal would require public companies to make disclosures regarding: risk management, strategy, and governance, as well as board cybersecurity expertise.

    Private sector organizations filed highly critical comments concerning the proposal. One comment signed by numerous trade associations, including those from the energy sector, said that the proposal "runs counter to sound cybersecurity policies and practices" because it could equip attackers with data that could be used against companies and law enforcement.

    The Spring 2022 Unified Agenda of Regulatory and Deregulatory Actions projects that the SEC will take final action on the proposal in April 2023.

    Federal Energy Regulatory Commission

    Incentives for Advanced Cybersecurity Investment

    On September 22, 2022, FERC issued a proposal pursuant to the Investment and Jobs Act of 2021 to establish incentive-based rate treatments for voluntary cybersecurity investments. The proposal would make expenses and capital investments associated with advanced cybersecurity technologies or participation in cybersecurity threat information sharing programs eligible for incentives. FERC is proposing to establish a prequalified list of cybersecurity expenditures eligible for incentives. The incentives would either be a return on equity adder of 200 basis points, or deferred cost recovery that could be included in the unamortized portion of a utility’s rate base. The incentives would remain in effect for up to five years after investments enter service or expenses are incurred.

    The proposal terminates FERC’s December 17, 2021 proposal to establish incentive-based rate treatments a for voluntary cybersecurity investments pursuant to Federal Power Act sections 205 and 206. That proposal divided the electricity sector, drawing support from investor-owned utilizes, but opposition from public power and transmission owners who expressed concern that incentives could inflate costs without providing material benefits.

    Comments on the proposal will be due 45 days after publication in the federal register.

    Appendix A: Cyber Incident Reporting for Critical Infrastructure Act Summary

    Legislation: H.R. 2471, “Consolidated Appropriations Act 2022” (Division Y)

    Rulemaking Requirement

    CISA to propose implementation rule within 2 years of enactment, with a final rule due within 18 months of the proposal’s publication.

    Covered Entity

    Covered entity: Critical infrastructure owner operator that CISA determines in rulemaking should be covered, taking into consideration:

    • The consequences of critical infrastructure’s disruption to national security, economic security, or public health and safety;
    • The likelihood of critical infrastructure being targeted;
    • Damage from disruption of critical infrastructure to other critical infrastructure assets.

    Covered Cyber Incident

    Cyber Incident: Term has the meaning of “incident” as defined in Homeland Security Act, “an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually or imminently jeopardizes, without lawful authority, an information system” with the caveat added that it “does not include an occurrence that imminently, but not actually, jeopardizes information on information systems or information systems.”

    Covered Cyber Incident: As defined in CISA rulemaking, cyber incident that is substantial enough to be reportable:

    • Which results in the occurrence of
      • Loss of confidentiality, integrity, or availability of IT system, or a serious impact on the safety and resiliency of OT systems;
      • Disruption of operations due to a distributed denial of service attack, a ransomware attack, or exploitation of a zero-day vulnerability; or
      • Unauthorized access due to a compromise of a third-party data hosting provider, or supply chain attack.
    • Taking into consideration:
      • Sophistication of tactics;
      • Number of individuals affected; and
      • Impact on industrial control systems.

    Timelines

    Covered Cyber Incident: Within, but no sooner than, 72 hours from when covered entity reasonably believes that a covered cyber incident has occurred.

    Ransomware Attack: Not later than 24 hours after a covered entity makes a ransomware payment, whether or not related to a covered cyber incident.

    Supplemental Reports: Promptly submitted after substantial “new or different information” until covered entity notifies CISA that incident has been fully mitigated and resolved. “New or different information” defined by CISA rulemaking considering:

    • covered entity’s existing regulatory requirements, and
    • balance of the need for situational awareness and ability of covered entity to respond to cyber incident, becomes available.

    Reporting Agency

    Direct: CISA

    Third-Party: Covered entities may submit report through a third party, but such third party reporting does not relieve compliance duties.

    Other Agency Reporting Requirements: Other agencies receiving reports of covered cyber incidents required to share with CISA under agreed-upon policies and procedures. DHS directed to coordinate with other regulatory authorities to harmonize reporting requirements.

    Content

    Covered Entity: Determined by CISA in rulemaking but including:

    • Description of affected systems and unauthorized access;
    • Date range of attack;
    • Impact to operations;
    • Description of vulnerabilities, tactics, techniques, and procedures;
    • Identifying information of threat actor;
    • Categories of information accessed;
    • Name of the entity impacted; and
    • Contact information.

    Ransomware Attack: Determined by CISA in rulemaking but including:

    • Description of attack, with estimated date range;
    • Description of vulnerabilities, tactics, techniques, and procedures;
    • Identifying information of threat actor;
    • Name of the entity impacted;
    • Contact information;
    • Date ransom paid;
    • Ransom payment demand, including type of virtual currency or other commodity requested;
    • Ransom payment instructions; and
    • Amount of ransom payment.

    Information Protections

    • Can only be used by government for a cybersecurity purpose (except for other very limited purposes);
    • Ransomware payment reports cannot be used to regulate covered entity;
    • Considered proprietary information.
    • Exempt from FOIA and state and local disclosure laws.
    • No waiver of privilege.
    • Ex parte communication waiver.
    • Protection from liability for providing information to the government.
    • Reports, and “any communication, document, material, or other record, created for the sole purpose of preparing, drafting, or submitting such report” cannot be evidence or subject to discovery “before any court, regulatory body, or other authority of the United States, a State or a political subdivision” provided that such restriction shall not apply to communication, document, material, or other record, not created for the sole purpose of preparing, drafting, or submitting such report.

    Compliance Penalties

    CISA may request information from a covered entity it believes should have reported a cybersecurity incident. If CISA receives no response, it can subpoena the covered entity for that information. Such subpoenaed information receives none of the protection listed above. If CISA determines unreported incident was a significant cybersecurity incident, then it can conduct further investigation and, if necessary, forward natter to the Attorney General who may seek a contempt of court ruling or inform the appropriate regulator.

      Author