Keep Calm and Find the Overlap in ICS Regulations

Making Sense of ICS Regulations and Government Guidance

Keep Calm and Find the Overlap

ICS Regulations Keep Calm Find the Overlap

It may seem like the government issues new ICS regulations and cybersecurity guidance for critical infrastructure every few weeks. While there is a flood of information affecting many industries, it’s important not to get overwhelmed.

Whether new regulations are directed at pipelines or water utilities, everyone is in the same boat as many of these recommendations overlap. Regulations are ever-evolving, so focusing on priorities is critical – keep calm and find the overlap! 

Maximum Coverage, Minimum Tools

Organizations should first take a step back and focus on the convergence between these different regulatory and compliance requirements. Determine how you can achieve the most coverage with the least amount of tools and overall change.

When government agencies issue new guidance and recommendations, there tends to be the same information recounted repeatedly. Review the documentation to determine where overlap occurs, and then focus on areas that cover the highest number of requirements repeated across those recommendations.

Examples of Overlap in ICS Regulations

Much of the guidance and regulations focus on consistent themes, such as information sharing and the importance of reporting incidents, breaches, and ransomware infections. There will likely be additional requirements and standards issued pertaining to asset inventory, perimeter protection, monitoring and logging, and Zero Trust.

Below are some examples of overlap in recent regulations and government guidance:

ICS Regulations / Guidance re: Information Sharing & Reporting 📝

ICS Regulations / Guidance re: Monitoring & Logging 🪓

These are just a few of the examples of overlap that you’ll find when digging through documentation.

Suggestions from SynSaber

The above examples of overlap are just a few that we’ve selected from recent documents. Given this, what should organizations do once new government guidance and regulations are issued? And where should their focus be?

Improve Visibility 🕶️

We believe organizations should place high importance on both visibility and monitoring. Doing this helps support infrastructure health and ultimately leads to improvements in safety, reliability, threat detection, response, and recovery.

Organizations should also make sure that they have documented security, reporting, and response processes in place. This will go a long way in minimizing headaches if an event occurs.

Understand Vulnerabilities 🔓

It’s also critical to know your update and patching status and to understand your environment’s potential vulnerabilities. When compliance standards and regulations are issued, chances are they will be focused on the latest exploit, vulnerability, or threat.

In the aftermath of the Apache Log4j vulnerability, guidance was swiftly issued from CISA & DHS on vulnerability mitigation. This example shows how guidance may be reactionary and underscores the importance of taking everything in stride and ensuring organizations understand their vulnerabilities in advance of an event.

In Conclusion: Plan your Work and Work your Plan

While it might sound cliche, it’s essential to have a plan and stick to it. Implementation of new guidance is something that does not happen overnight. Create a roadmap that lays out what your evolution should entail. Implementation is a process. By having a detailed plan that lays out what this process should look like, you are taking a vital step towards meeting future requirements before they are even issued.

Ultimately, when the government issues new guidance and recommendations, it may seem daunting at first. But it doesn’t have to be. Remember that many new guidelines and standards may be rehashes of things you are already doing and that key recommendations likely have overlap across other guidelines. Keep calm, find the overlap, and focus on what gives your organization the most coverage across all regulations.