President Biden proclaimed November 2022 as Critical Infrastructure Security and Resilience Month, and we at the Operational Technology Cybersecurity Coalition join the President in our commitment to improving the resilience of our nation’s critical infrastructure.
Our critical infrastructure includes the systems that keep our nation running every day – from water and energy to hospitals and schools. And as information technology (IT) and operational technology (OT) converge, and more capabilities are digitalized and added to these systems, cybersecurity risks multiply, which makes enhancing our defenses against cyberattacks crucial. Representing the entire OT lifecycle, our member companies work daily to ensure that utilities, schools, hospitals, water systems, and more all have the tools they need to protect themselves from cyberattacks. But we cannot do this alone.
President Biden recently shared a letter to Congressional leadership on the need for urgent action to improve the cybersecurity of our critical infrastructure, emphasizing that we, as a nation, lack mandatory minimum cybersecurity requirements across our critical infrastructure. In addition, President Biden called for an update to Presidential Policy Directive 21 to strengthen public-private partnerships and provide clear guidance on designating certain critical infrastructure as systemically important.
While all critical infrastructure plays a crucial role in maintaining the systems that impact our daily lives, it’s undeniable that a cyberattack on certain elements could lead to devastating and debilitating effects on our country. Categorizing and identifying systemically important entities underpins Cybersecurity and Infrastructure Security Agency’s (CISA) ability to prioritize finite resources to protect the nation’s most vital critical infrastructure; however, categorization accomplishes little without additional guidance and resources. Once any definition of systemically important infrastructure is completed, it must be made available to all covered entities. In addition, there must be clear guidance from CISA and Sector Risk Management Agencies about what new requirements these entities will face, what new security must be deployed, and what government resources are available to help them achieve the most secure end state. Armed with this information, vendors can then work collectively as a team to build and deploy such capabilities, all while ensuring these capabilities cover the entire National Institute of Standards and Technology Cybersecurity Framework and go beyond threat monitoring.
Drawing greater attention to the importance of securing our critical infrastructure is the first step toward securing our collective defense. But more work remains to ensure our most critical systems are protected, with a continued focus on the deployment of vendor-neutral, interoperable cybersecurity solutions. We applaud the Administration for its commitment to this work, and we look forward to offering our assistance, insight, and expertise.