Over the past year, the Cybersecurity and Infrastructure Security Agency (CISA) has issued a stream of cybersecurity standards, advisories, and goals; the agency has even dubbed this November as “Infrastructure Security Month.” Its goal is to cyber-harden the “target rich and resource poor” real world infrastructure organizations that we rely on every day. The emphasis on zero trust approaches in these initiatives is encouraging; even more encouraging is the progress that’s likely to come next. 

CISA recently released cross-sector performance goals for all 16 agency critical infrastructure industries. These guidelines are useful, particularly when applied to smaller organizations, and they’re poised to help spur further adoption of strong cybersecurity standards, especially for Operational Technology (OT). The program goals, while deliberately voluntary, are also likely to be influential at many larger organizations, and may be the first step towards the creation of additional enforcement and oversight. 

These performance goals emphasize defense-in-depth approaches, including multi-factor authentication (MFA), zero trust remote access, and segmentation (i.e. zones separated but interconnected with secure conduits). CISA doubled down on updated MFA strategies, including phishing-resistant and numbers matching MFA, in separate guidance from October, reiterating its importance within a zero trust architecture.

Further, the emphasis on Account Management, specifically secure and managed identity, clearly reflects the influence of zero trust on critical infrastructure security. These releases also highlight the continued convergence of OT and IT systems, while acknowledging the unique challenges of securing OT, such as the challenge of protecting those OT assets that lack strong native security capabilities. 

Going forward, CISA is expected to release new sector-specific goals, following a summer Office of Management and Budget (OMB) memo directing all federal agencies to outline improved performance standards and require reviews of plans for their respective industries. CISA Director Jen Easterly also pointed to new priority sectors for 2023, including water, hospitals, and K-12 education. 

In anticipating how these industries will respond to stricter regulations, we can draw a parallel to the oil & gas industry. After being directed by the TSA to implement proactive cyber protection and submit plans for government approval, the sector has seen significant movement in the right direction. Operators are now leaning into security measures centered around proactivity and attack prevention, a step up from mere incident detection and response. This shift has been crucial, especially given that no operator wants to repeat the 2021 Colonial Pipeline ransomware attack. 

With this precedent, it’s likely that CISA’s new cross-sector standards will help today’s critical operations continue to evolve and strengthen, just as we’ve witnessed with the oil & gas sector. CISA should also continue to integrate its own work on proactive zero trust strategies into its future publications, especially to communicate that preventative cybersecurity does not require operations to rip and replace existing equipment. Ultimately, CISA can play a positive role to educate the different industries and operators to continue to assess and adopt proactive zero trust-based approaches to cyber harden critical operations and protect against escalating threats.