June 17, 2024 By Jonathan Reed 3 min read

In an effort to enhance cyber resilience across critical infrastructure, the Office of the National Cyber Director (ONCD) has recently released a summary of feedback from its 2023 Cybersecurity Regulatory Harmonization Request for Information (RFI).

The responses reveal major concerns from critical infrastructure industries related to operational technology (OT), such as energy, transport and manufacturing. Their worries include the current fragmented regulatory landscape and difficulty adapting to new cyber regulations. The frustration appears to be unanimous.

Meanwhile, the magnitude of the threat against critical infrastructure continues to grow. In the 2024 IBM X-Force Threat Intelligence Index, 69.6% of attacks that X-Force responded to in 2023 were against critical infrastructure organizations. With a low threshold for downtime, critical infrastructure is a high-value target to adversaries.

Consensus among OT-related industries

Overall, OT-related critical infrastructure industries agree that the lack of regulatory harmonization harms both cybersecurity outcomes and business operations. For instance, the Business Roundtable, an association of more than 200 chief executive officers of leading U.S. companies, noted: “Duplicative, conflicting or unnecessary regulations require companies to devote more resources to fulfilling technical compliance requirements without improving cybersecurity outcomes.”

Industries within these sectors are calling for a more streamlined and coordinated approach to cybersecurity regulation. The hope is for less redundancy and a more cohesive security framework.

Explore IBM’s cybersecurity services

Growing pains and cybersecurity regulations

Unlike highly regulated sectors such as healthcare and financial services, OT-related critical infrastructure faces major hurdles in adapting to rapidly evolving cybersecurity regulations — not to mention the looming cyber threats.

OT-sectors have traditionally focused more on physical security and operational efficiency, with cybersecurity often taking a backseat. The introduction of new security regulations has exposed these industries to a steep learning curve. And to achieve compliance, this means significant investments in both time and resources.

One of the primary issues is the divergence in regulations across different jurisdictions and sectors. This complicates achieving compliance for businesses operating across multiple regions. A patchwork of requirements creates confusion and inefficiencies as companies must comply with multiple, often conflicting, sets of rules.

Information technology (IT) systems are more standardized and benefit from a long history of IT security development. Meanwhile, OT systems are often bespoke and any system downtime can have severe repercussions. This makes implementing cybersecurity measures more complex and costly. Additionally, older OT systems were not designed with cybersecurity in mind, which makes them difficult to secure against modern cyber threats.

Striving for regulatory adoption

In the past four to five years, several new cybersecurity regulations have been introduced targeting OT-related critical infrastructure industries. Notable examples include CISA’s guidelines for industrial control systems and the NIST updates to its Cybersecurity Framework (CSF) to better address OT environments.

However, the process of adopting these new guidelines has been fraught with delays. Many industries have struggled to integrate these regulations into their existing operational frameworks, often citing a lack of clarity and support from regulatory bodies. Additionally, the complexity of OT systems and their continuous operation make it difficult to implement security measures without disrupting core activities.

Scrutinizing proposed harmonizations

While the ONCD’s efforts to harmonize cybersecurity regulations are commendable, industry stakeholders feel that without significant federal leadership and coordination, true regulatory harmonization may remain elusive. Can proposed frameworks effectively bridge the gap between diverse regulatory requirements and the unique needs of each sector? Only time will tell.

Moreover, some fear the drive for harmonization could lead to onerous regulations that don’t account for sector-specific nuances. This could result in a one-size-fits-all approach unsuitable for the complex landscape of OT-related critical infrastructure.

There is a clear recognition of the need for better regulatory harmonization. The ONCD’s ongoing dialogue with industry stakeholders and its pilot reciprocity framework are steps in the right direction. Still, much work remains to ensure these initiatives translate into tangible security improvements.

More from News

Research finds 56% increase in active ransomware groups

4 min read - Any good news is welcomed when evaluating cyber crime trends year-over-year. Over the last two years, IBM’s Threat Index Reports have provided some minor reprieve in this area by showing a gradual decline in the prevalence of ransomware attacks — now accounting for only 17% of all cybersecurity incidents compared to 21% in 2021. Unfortunately, it’s too early to know if this trendline will continue. A recent report released by Searchlight Cyber shows that there has been a 56% increase in…

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

CISA and FBI release secure by design alert on cross-site scripting 

3 min read - CISA and the FBI are increasingly focusing on proactive cybersecurity and cyber resilience measures. Conjointly, the agencies recently released a new Secure by Design alert aimed at eliminating cross-site Scripting (XSS) vulnerabilities, which have long been exploited to compromise both data and user trust. Cross-site scripting vulnerabilities occur when a web application improperly handles user input, allowing attackers to inject malicious scripts into web pages that are then executed by unsuspecting users. These vulnerabilities are dangerous because they don't attack…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today