At a glance.
- CISA’s updated Infrastructure Resilience Planning Framework.
- US DoD releases zero-trust strategy.
- GAO calls for offshore oil and gas cybersecurity strategy.
CISA’s updated Infrastructure Resilience Planning Framework.
Yesterday, the US Cybersecurity and Infrastructure Security Agency (CISA) updated their Infrastructure Resilience Planning Framework (IRPF). The framework is intended to aid state, local, tribal, and territorial planners in defense of critical infrastructure, as well as resilience. CISA says that the updates were created with an evolving threat landscape in mind, adding better tools and resources to support defenders, including:
- “New tool for identifying critical infrastructure, the Datasets for Critical Infrastructure Identification guide. This dataset provides users with guidance on how and where to find publicly accessible geospatial information system (GIS) on critical infrastructure assets via the Homeland Infrastructure Foundation-Level Data (HIFLD) site, as well as several other GIS sites.
- “Guidance on the challenges of getting a diverse set of opinions when planning. It can be challenging to get all the right stakeholders together and ensure that a diverse range of opinions and interests are considered. The IRPF 1.1 expands on the process of gathering stakeholders.
- “New drought resilience information via CISA’s National Drought Resilience Partnership. This includes a new guide that provides an overview of the drought hazard, examples of direct and indirect impacts it can have on infrastructure systems, and federal resources for assessing and mitigating drought risk.
- “Revised resilience concepts that incorporate CISA’s Methodology for Assessing Regional Infrastructure Resilience. It provides additional detail on analytic methods that planners can use to improve their understanding of infrastructure systems in their community.”
The Record by Recorded Future reports that this is part of a greater move by CISA to address critical infrastructure cybersecurity, following the recent release of CISA’s Cybersecurity Performance Goals (CPGs) three weeks ago.
US DoD releases zero-trust strategy.
The US Department of Defense yesterday released a zero-trust strategy and roadmap to defend against cyber threats and attacks that “goes beyond the traditional perimeter defense approach.” The strategy outlines four strategic goals: Zero Trust Cultural Adoption; DoD information Systems Secured and Defended; Technology Acceleration; and Zero Trust Enablement. C4ISRNet reports that the documents contain over 100 activities, capabilities and pillars that are needed for zero trust. Federal News Network reports that “45 ‘capabilities’ are organized around seven ‘pillars’: users, devices, networks and environments, applications and workloads, data, visibility and analytics, and automation and orchestration,” which are further segmented into “target” and “advanced” zero-trust levels. “The strategy makes zero trust tangible and achievable, while recognizing a dynamic and frankly continuous improvement approach,” said Randy Resnick, director of DoD’s zero trust portfolio management office, to reporters on Tuesday.
GAO calls for offshore oil and gas cybersecurity strategy.
The US Government and Accountability Office (GAO) released a report urging for a strategy for increasing cybersecurity risks in offshore oil and gas infrastructure. The GAO observed the cybersecurity of over 1,600 U.S. offshore oil and gas facilities, and found that threat actors, vulnerabilities, and potential impacts are significant risks for the sector. SiliconANGLE reports that many of the methods used in exploration and production rely on remotely connected operational technology for safety, and older technologies have fewer cybersecurity protections implemented. The GAO also calls on the Department of the Interior’s Bureau of Safety and Environmental Enforcement in particular, noting their awareness of cybersecurity risks, but lack of action. The report says, “Absent the immediate development and implementation of an appropriate strategy, offshore oil and gas infrastructure will continue to remain at significant risk. Such a strategy would call for, among other things, an assessment of cybersecurity risks and mitigating actions; and the identification of objectives, roles, responsibilities, resources and performance measures.”