The Department of Homeland Security (DHS) has announced a proposed set of rules for critical infrastructure reporting. In the event of a cyberattack or other cyber incident, these rules will outline how critical infrastructure organizations will be expected to report to the federal government. The process of reporting incidents will be overseen by the CISA, as is stipulated by the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). 

Security leaders weigh in 

Jose Seara, CEO and Founder at DeNexus:

“The convergence and alignment of cybersecurity requirements by industry regulators and government agencies such as the SEC and CISA is much needed. It will allow corporations to simplify and therefore deploy more effective cybersecurity programs. We also recommend enterprises start with a cyber risk quantification exercise to bring clarity on where they’re most at risk and how to prioritize risk mitigation projects.”

John Gallagher, Vice President of Viakoo Labs at Viakoo:

“Kudos for the progress CISA has made with CIRCIA.  CIRCIA is a key milestone in moving critical infrastructure (and organizations in general) towards more awareness and coordinated response to cyber threats.  It’s not the destination (secure and resilient infrastructure), but an important waypoint towards it. 

“As the attack surface within critical industries has shifted towards IoT/OT/ICS vulnerabilities, CIRCIA has been forward-thinking in its focus on these types of vulnerabilities, and has acted as an accelerant to industry-level information and best practice sharing.   However, there needs to be a lot more effort in terms of benchmarking of preparedness and more structure around what ethical disclosure means for critical infrastructure/Cyber-Physical System (which is different than data theft).    

“The impact of critical infrastructure being breached is both enormous and highly time-sensitive, so by bringing the reporting timing down it significantly reduced the window of vulnerability from the breach.  For example, if the threat actor can rely on delayed reporting it opens up a much larger potential for organizational to be breached.  Shortening the reporting time directly shortens a cyber-criminal being able to act unnoticed.  

“It’s particularly notable that CISA has established different reporting timelines for cyber incident reporting (72 hours) versus ransomware payment (24 hours).  A longer timing for incident reporting helps to reduce false alarms and gives more time to assess the overall threat.  Ransomware payment is completely different, and if it isn’t outlawed at least there is a short reporting window.  

“Having clear definitions of what organizations are covered and details around there requirements also gives cyber insurance providers a way to work with critical infrastructure organizations and leverage these guidelines to base underwriting decisions.  

“Another aspect that stands out is the estimated costs.  Estimated costs of $2.6B over 11 years ($236M per year) is modest compared to the scale of cyber-crime or the impact of critical infrastructure incidents. Underfunding critical infrastructure or cyber-physical system security is a questionable decision.”