The U.S. Senate has passed the Strengthening American Cybersecurity Act of 2022, which will require federal agencies and organizations in the critical infrastructure sector to report cyberattacks within 72 hours. Organizations will also be required to report ransom demands and payments.

The Senate passed the cybersecurity act amid warnings from the Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA) about the potential for Russian cyberattacks targeting U.S. organizations.

The bill aims to bolster the cybersecurity posture of the federal government, as well as the cyber incident reporting practices of the critical infrastructure sector.

The cybersecurity act presents two challenges to critical infrastructure organizations, according to Jim McKenney, Practice Director, Industrials and Operational Technologies at NCC Group.

“The first challenge — resource constraints in people, time and funding — can be addressed by running cyber incident response tabletop exercises with partners who specialize in operational environments to “right-size” the response plan with the necessary tools, processes and people," said McKenney.

A lack of instrumentation in critical infrastructure environments also presents a challenge, according to McKenney. "A bank can rather easily invest in a centralized intrusion detection system within a data center, but critical infrastructure operator facilities such as compressing stations, water towers and substations, which are distributed across a great deal of geography, will have space, power, communications and network infrastructure limitations. Because of this, operating environments require significantly more time, effort and expertise to obtain a comparable level of capabilities that a bank would enjoy.”