CPG Guidelines meme

CISA Cybersecurity Performance Goals - Guidelines for ICS

Ron Fabela, SynSaber CTO & Co-founder
Ron Fabela

CISA has released updated cross-sector cybersecurity performance goals (CPGs) as part of an ongoing campaign to renew focus on cybersecurity for critical infrastructure.

The details from CISA are linked below, along with background information and commentary.

Cybersecurity Performance Goals Origin Story

As a result of the National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems released in July of 2021 and pursuant to Sec. 4 “Critical Infrastructure Cybersecurity Performance Goals,” the CPG effort was authorized via EO 13636 from February 2013 for the Secretary of DHS and Secretary of Commerce to develop and issue said goals.

Initial CPGs were to be released no later than September 2021, with sector-specific goals released within one year.

🤓 Whew! That’s a lot of policy nerdiness there, so here’s a visual timeline:

Cybersecurity Performance Goals origin

It’s important to know how we got here as it informs us about a number of things, the first being authority and applicability to the sector; and the second being the timeline in which we can expect more to come in the future.

Guidelines vs. Rules

The updated cross-sector performance goals released are general provisions for critical infrastructure covering both IT (enterprise) and OT (industrial control systems) environments. These CPGs are tied directly to NIST Cybersecurity Framework (CSF) controls and are considered a subset of the overall CSF.

The CPGs are also entirely voluntary, as stated in the report, and are to be used as a guide for all organizations to improve their cybersecurity posture.

CPG Guidelines meme

So why a rebranding of existing NIST CSF controls to a broad audience of diverse organizations? Primarily, it’s a matter of focus.

The current administration and CISA as a new agency within DHS are finding renewed and welcomed focus in combating threats to our critical infrastructure. Luckily there is a wealth of foundational knowledge and controls via NIST, ISA, NERC, and others upon which to base these checklists and CPGs.

Not So New Challenges

Guidance and regulation are not entirely new to critical infrastructure, but there are existing recurring challenges when faced with “Top Down” guidance. Specifically related to the new CPGs, these challenges include:

Challenge #1 – Measurement

Measurable actions and risk reduction, especially when completely voluntary, are at the discretion of whoever is measuring. Current CPGs may consolidate and link goals to outcomes and actions, but the measurement of those actions is nearly impossible across a large group of critical sectors.

Challenge #2 – Timeliness

The timeliness of government guidance is often a roadblock to effective action. The updated CPGs are a well-polished product from CISA that obviously took a lot of resources and care. This effort did take an entire year and is cross-sector-specific. There may be a significant lag until sector-specific guidance is developed and actioned on.

Challenge #3 – Goals

Finally, there’s a battle of having performance-based goals that are not overly prescriptive to the point of non-applicability. CISA has gone through great effort to specify that these CPGs are not comprehensive, not identifying all the best practices needed to protect critical infrastructure. Even within this report and checklist, asset owners are left analyzing what is applicable and feasible. Many of the goals have unique callouts for “OT” and plenty of caveats such as “where technically feasible,” a phrase that has been the bane of effective cybersecurity governance of ICS.

As an example, just looking at something simplistic as “Changing Default Passwords,” which on the surface is a slam dunk for security.

Example cross-sector cybersecurity performance goal

Here, CISA is rightfully nuanced with regard to applicability to industrial control systems. Terms like “not feasible” or “requires significantly more work” are common caveats with top-down cybersecurity guidance that happens to be applicable to OT environments.

In my experience, these controls would truly be considered “best efforts” and, unfortunately, take a backseat to regulatory, compliance, or process-related requirements.

Carpe CPG!

Seize the CPG…err, day! While asset owners need not fret over renewed guidance from CISA, the goals in the CPG report should not come as a surprise to anyone operating cybersecurity programs.

ICS applicability and action have always been a challenge when it comes to top-down policy, but asset owners, SOC managers, CISOs, and technicians should see the CISA CPGs as an opportunity to implement real security projects within their organization, even if the CPGs lack regulatory teeth.

CISA and other government initiatives will continue…You have the power to turn top-down guidance into practical bottom-up security!

~Ron 💜🚀