On September 14, 2022 the Cybersecurity and Infrastructure Security Agency (CISA) issued a Request for Information (RFI) to receive input from the public as CISA develops proposed regulations required by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Among other things, CIRCIA directs CISA to develop and oversee implementation of regulations requiring covered entities to submit to CISA reports detailing covered cyber incidents and ransom payments.
The comment period ended on November 14, 2022 with 69 independently filed comments listed on regulations.gov from across industries involved in critical infrastructure operations and suppliers to operators of critical infrastructure. I’ve reviewed 15 of these comment filings, focusing primarily on Energy industry filers and IT/OT supplier filings.
I’ve observed two general philosophies expressed in these comments:
- Entities that are already reporting cybersecurity incidents within their closed communities are resistant to make changes and introduce CISA into the reporting process. Preferring instead to continue reporting to their industry specific contact, i.e. NERC’s E-ISAC was strongly supported as the status quo, recommending these “intermediary” entities be the recipient of incident reports which would be forwarded to CISA. This is the electric industry position.
- Entities that are not already committed to an existing cybersecurity incident reporting program are more open to the concept of a harmonized “single, national point of contact for the operator to report all cyber incidents.” I think of this as a Nationwide 911 service for cybersecurity incident reporting. This is the approach expressed by the Natural Gas industry and Exelon (working in both electric and NG industries)
The IT industry commenters were more focused on keeping the responsibility for cybersecurity incident reporting on the end users of their products, as opposed to having producers of software products report all known cybersecurity incidents reported by all of their customers to CISA.
If you are looking to see these two philosophical positions more clearly then I suggest reading:
- NERC’s CIRCIA Comment Filing [electric industry view; ISAC’s receive incident reports and report to CISA]
- INGAA, et al CIRCIA Comment Filing [Natural Gas industry view; CISA receives incident reports and report to ISAC’s] this is the “911 concept for incident reporting” I referred to earlier
I fully endorse and support Exelons recommendation:
Harmonization of requirements and, where possible, a single, national point of contact for the operator to report all cyber incidents.
What I find truly interesting is one of the most compelling reasons to consolidate cyber incident reporting under CISA is actually provided by NERC in footnote 6 on page 4 of their filing (right after acknowledging duplicative reporting to E-ISAC and CISA happens today within CIP-008-6):
"NERC’s incident reporting requirements do not apply to all cyber systems used by NERC registered
entities, only those associated with bulk power system operations (i.e., operational technology systems not
information technology systems). For example, a corporate accounting system that is isolated from an entity’s
operational technology systems would not be subject to the CIP standards. CIRCIA reporting requirements
applicable to those corporate systems would not overlap with NERC’s reporting requirements."
I hope to meet some colleagues at the December 7 FERC-DOE Technical Conference on Supply Chain Risk Management, held at FERC’s HQ.