June 17, 2024 By Jonathan Reed 3 min read

In an effort to enhance cyber resilience across critical infrastructure, the Office of the National Cyber Director (ONCD) has recently released a summary of feedback from its 2023 Cybersecurity Regulatory Harmonization Request for Information (RFI).

The responses reveal major concerns from critical infrastructure industries related to operational technology (OT), such as energy, transport and manufacturing. Their worries include the current fragmented regulatory landscape and difficulty adapting to new cyber regulations. The frustration appears to be unanimous.

Meanwhile, the magnitude of the threat against critical infrastructure continues to grow. In the 2024 IBM X-Force Threat Intelligence Index, 69.6% of attacks that X-Force responded to in 2023 were against critical infrastructure organizations. With a low threshold for downtime, critical infrastructure is a high-value target to adversaries.

Consensus among OT-related industries

Overall, OT-related critical infrastructure industries agree that the lack of regulatory harmonization harms both cybersecurity outcomes and business operations. For instance, the Business Roundtable, an association of more than 200 chief executive officers of leading U.S. companies, noted: “Duplicative, conflicting or unnecessary regulations require companies to devote more resources to fulfilling technical compliance requirements without improving cybersecurity outcomes.”

Industries within these sectors are calling for a more streamlined and coordinated approach to cybersecurity regulation. The hope is for less redundancy and a more cohesive security framework.

Explore IBM’s cybersecurity services

Growing pains and cybersecurity regulations

Unlike highly regulated sectors such as healthcare and financial services, OT-related critical infrastructure faces major hurdles in adapting to rapidly evolving cybersecurity regulations — not to mention the looming cyber threats.

OT-sectors have traditionally focused more on physical security and operational efficiency, with cybersecurity often taking a backseat. The introduction of new security regulations has exposed these industries to a steep learning curve. And to achieve compliance, this means significant investments in both time and resources.

One of the primary issues is the divergence in regulations across different jurisdictions and sectors. This complicates achieving compliance for businesses operating across multiple regions. A patchwork of requirements creates confusion and inefficiencies as companies must comply with multiple, often conflicting, sets of rules.

Information technology (IT) systems are more standardized and benefit from a long history of IT security development. Meanwhile, OT systems are often bespoke and any system downtime can have severe repercussions. This makes implementing cybersecurity measures more complex and costly. Additionally, older OT systems were not designed with cybersecurity in mind, which makes them difficult to secure against modern cyber threats.

Striving for regulatory adoption

In the past four to five years, several new cybersecurity regulations have been introduced targeting OT-related critical infrastructure industries. Notable examples include CISA’s guidelines for industrial control systems and the NIST updates to its Cybersecurity Framework (CSF) to better address OT environments.

However, the process of adopting these new guidelines has been fraught with delays. Many industries have struggled to integrate these regulations into their existing operational frameworks, often citing a lack of clarity and support from regulatory bodies. Additionally, the complexity of OT systems and their continuous operation make it difficult to implement security measures without disrupting core activities.

Scrutinizing proposed harmonizations

While the ONCD’s efforts to harmonize cybersecurity regulations are commendable, industry stakeholders feel that without significant federal leadership and coordination, true regulatory harmonization may remain elusive. Can proposed frameworks effectively bridge the gap between diverse regulatory requirements and the unique needs of each sector? Only time will tell.

Moreover, some fear the drive for harmonization could lead to onerous regulations that don’t account for sector-specific nuances. This could result in a one-size-fits-all approach unsuitable for the complex landscape of OT-related critical infrastructure.

There is a clear recognition of the need for better regulatory harmonization. The ONCD’s ongoing dialogue with industry stakeholders and its pilot reciprocity framework are steps in the right direction. Still, much work remains to ensure these initiatives translate into tangible security improvements.

More from News

Hackers are increasingly targeting auto dealers

3 min read - Update as of July 11, 2024 In late June, more than 15,000 car dealerships across North America were affected by a cyberattack on CDK Global, which provides software to car dealers. After two cyberattacks over two days, CDK shut down all systems, which caused delays for car buyers and disruptions for the dealerships. Many dealerships went back to manual processes, including handwriting up orders, so that sales could continue at a slower pace. Car buyers who recently bought a car from…

CISA director says banning ransomware payments is off the table

3 min read - The FBI, CISA and NSA all strongly advise against organizations making ransomware payments if they fall victim to ransomware attacks. If so, why not place a ban on paying ransomware demands? The topic came up at a recent Oxford Cyber Forum. Jen Easterly, Director of CISA, commented on the issue, saying, “I think within our system in the U.S. — just from a practical perspective — I don’t see it happening.” It’s unlikely this was a purely spontaneous remark as the…

A proactive cybersecurity policy is not just smart — it’s essential

3 min read - It’s easy to focus on the “after” when it comes to cybersecurity: How to stop an attack after it begins and how to recover when it's over. But while a reactive response sort of worked in the past, it simply is not good enough in today’s world. Not only are attacks more intense and more damaging than ever before, but cyber criminals also use so many different attack methods. Zscaler ThreatLabz 2024 Phishing Report found that phishing attacks increased by…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today