The Biden administration is issuing new security guidance to critical infrastructure firms in an attempt to blunt the impact of ransomware and other hacks, following a series of attacks on US companies.
The recommendations, which are expected to be be released by the departments of Commerce and Homeland Security on Wednesday, are aimed at protecting the computer systems that end up in sensitive US facilities from hacking.
The baseline security measures are needed to “protect national and economic security, as well as public health and safety,” the departments said in a statement. The recommendations include having protocols in place to identify cybersecurity risks and for companies to regularly drill for cyberattacks on their networks.
“It is vital that critical infrastructure owners and operators immediately take steps to strengthen their cybersecurity posture toward these high-level goals,” Homeland Security Secretary Alejandro Mayorkas and Commerce Secretary Gina Raimondo said in a joint statement Wednesday. “The safety and security of the American people relies on the resilience of the companies that provide essential services such as power, water, and transportation.”
President Joe Biden ordered the agencies to develop the security goals and recommendations in a July national security memorandum.
White House officials have placed greater emphasis on industrial cybersecurity following a February incident at a water treatment plant in the Tampa Bay area. A still-unidentified hacker breached the plant’s computer system and tried to raise the water’s sodium hydroxide level to a potentially dangerous level. Officials at the facility caught the intrusion before any harm was done.
The target audience of the new recommendations are the operators of industrial control systems – the hardware and software that oil companies and other critical infrastructure firms use to move their product across the country. The measures are voluntary, as opposed to the mandatory cybersecurity regulations that the Biden administration imposed on pipeline operators in May following the ransomware attack on Colonial Pipeline.
Many big oil, gas and electricity firms have extensive cybersecurity programs. But US officials are also trying to reach the numerous firms with less resources that operate critical infrastructure.
Hackers have also shown that they don’t need to breach control systems to impact critical business operations. For example, alleged Russian criminals forced Colonial Pipeline, a major US fuel provider, to shut down for days in May by locking up the company’s IT systems.
The breach brought scrutiny of Colonial Pipeline’s cybersecurity practices after the company conceded that the hackers accessed its systems using a single stolen password. Colonial Pipeline has defended its cybersecurity work, saying it has invested in a robust defensive program.
The cybersecurity guidance from the Biden administration comes on the heels of the latest ransomware attack on a US food distributor. New Cooperative, a grain cooperative with 60 locations in Iowa, said Monday that it had taken its computers offline after Russian-speaking hackers encrypted them.
This story has been updated with additional details Wednesday.