Unpacking the U.S. National Security Memorandum on Improving Cybersecurity for Critical Infrastructure

Recent activity from the Biden Administration represents a watershed moment in the establishment of baseline standards for preparing, mitigating and responding to attacks that impact the critical infrastructure we all rely on.

On July 28, the Biden Administration issued the National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems. Given the recent increase in attacks on critical infrastructure and industrial operations, this is a much-needed step to protect U.S. critical infrastructure from cyberattacks, and comes on the heels of the Cybersecurity and Infrastructure Security Agency (CISA) guidance on Ransomware for OT issued in June 2021.

In the July 28 memorandum, the White House calls for a "whole-of-nation" effort to secure critical infrastructure from "growing, persistent, and sophisticated cyber threats" that could have "cascading physical consequences [and] . . . a debilitating effect on national security, economic security, and the public health and safety of the American people."   

The memorandum and the earlier CISA guidance on ransomware for OT represent a watershed moment in the establishment of baseline standards for preparing, mitigating and responding to attacks that can emanate from a variety of attack paths. With the rapid convergence of IT and OT infrastructures, new paths for attacks are emerging and have already been proven to directly impact the critical infrastructure we all rely on.  

What it means

The most substantive thrust of these government actions is recognizing and acting on the accelerated trend of reconnaissance and attack by establishing the Industrial Control Systems (ICS) Cybersecurity Initiative. The ICS Initiative is a voluntary, collaborative effort between the federal government and the critical infrastructure community to protect U.S. critical infrastructure "by encouraging and facilitating deployment of technologies and systems that provide threat visibility, indications, detection, and warnings, and that facilitate response capabilities for cybersecurity in essential control system and operational technology networks," with a primary goal of "greatly expand[ing] deployment of these technologies across priority critical infrastructure."

Under the Initiative, the federal government will work with industry to share threat information for priority control system critical infrastructure, and sector risk management agencies will work with critical infrastructure stakeholders to implement the principles and policy outlined in the July 28 memorandum. 

The Initiative began in mid-April with an electricity subsector pilot. Over 150 electricity utilities representing almost 90 million residential customers are either deploying or have agreed to deploy control system cybersecurity technologies, a move that will be instrumental in stopping future attacks on our critical infrastructure.  In light of some of the most recent global attacks targeting oil and gas pipelines, a new action plan for natural gas pipelines is underway, and additional initiatives for other sectors will follow later this year.  The pilot plan for the electricity subsector could serve as an effective model. 

The bar is set

The memorandum calls for the creation of cyber performance goals for critical infrastructure companies, including the establishment of baseline cybersecurity performance standards and goals consistent across all critical infrastructure sectors that would be  jointly developed by CISA and the National Institute of Standards and Technology (NIST). Looking into the immediate future, the U.S. Department of Homeland Security (DHS) will issue preliminary goals for control systems across critical infrastructure sectors by September 22, 2021, followed by final cross-sector control system goals, and sector-specific goals, by July 28, 2022. 

In summary

Tenable encourages CISA and the U.S. government to take an open, technology-neutral, standards-based approach in the development of these goals. Core elements for consideration as the most appropriate and successful methods of disrupting attack paths and securing critical infrastructure and OT environments revolve around three key pillars:

• Visibility: Gain full visibility and deep situational awareness across your converged IT/OT environment.

• Security: Protect your industrial infrastructure from advanced cyberthreats and risks posed by hackers and malicious insiders.

• Control: Take full control of your operations network by continuously tracking ALL changes to any ICS device.


Security professionals tasked with protecting critical infrastructure should use government guidance, such as the most recent memos, to proactively address new and emerging risks that can impact their OT environment and core mission of their organization. 

Learn more 

• View the on-demand webinar, Q3 Industrial Cybersecurity Update: A Virtual Retreat for Security Leaders
• Download the whitepapers, Align with CISA's guidance on Ransomware for OT, Align with NIST and Align with CSA/NSA Alert AA20-205A

• Read the solution guide, Align with NERC

• See how Tenable.ot can help by visiting our product page, Disrupt OT Threats with Tenable.ot