Critical infrastructure organizations in the United states, now require focus to adhere the ‘Critical Incident Reporting for Critical Infrastructure Act‘ (CIRCIA). This law enforces amendment in the Homeland Security Act of 2002 to establish the Cyber Incident Review Office in the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security.
CISA Director Jen Easterly in his statement released states “As the nation’s cyber defense agency, CISA applauds the passage of cyber incident reporting legislation. Thanks to the support of our many partners in Congress, CISA will have the data and visibility we need to help better protect critical infrastructure and businesses across the country from the devastating effects of cyber-attacks.”
This CIRCIA act sets the stage for landmark reporting requirements for thousands of organizations in the 16 official critical infrastructure sectors in the United states stipulates 72 hours for cyber incident reporting to CISA and 24 hours for reporting ransomware payments
The importance of addressing cyber security incidents become urgent after FBI releases the Internet crime complaint center (IC3) 2021 internet crime report.
- Of the 16 critical infrastructure sectors, IC3 reporting indicated 14 sectors had at least 1 member that fell victim to a ransomware attack in 2021
- In May 2021, the IC3 posted an FBI Liaison Alert System (FLASH) report that advised the FBI identified at least 16 CONTI ransomware attacks targeting US Healthcare networks, including law enforcement agencies, emergency medical services, 9-1-1 dispatch centers, and municipalities
- In June 2021, the IC3 began tracking reported ransomware incidents in which the victim was a member of a critical infrastructure sector
- In September 2021, the IC3 posted a Private Industry Notification (PIN) which warned that ransomware attacks targeting the Food and Agriculture sector disrupt operations, cause financial loss, and negatively impact the food supply chain
- In October 2021, the IC3 posted a Joint Cybersecurity Advisory (CSA) to ic3.gov regarding ongoing cyber threats to U.S. Water and Wastewater Systems
More detail on The Critical information reporting for Critical infrastructure act(CIRCIA)
The term ‘covered entity’ as per the act means an entity that owns or operates critical infrastructure. Congress has instructed CISA to consider setting up ‘Cyber incident review office’ to perform below activities
- To receive, aggregate, analyze, and secure reports from covered entities related to a covered cybersecurity incident
- To facilitate the timely sharing between relevant critical infrastructure owners and operators and, as appropriate
- To conduct a review of the details surrounding such covered cybersecurity incident or group of such incidents and identify ways to prevent or mitigate similar incidents in the future
- To publish quarterly unclassified, public reports that describe aggregated, anonymized observations, findings, and recommendations
- To utilize data on cybersecurity incidents in a manner that enables and strengthens cybersecurity research
The term ‘covered cybersecurity incident’ means a cybersecurity incident experienced by a covered entity. The minimum threshold to consider covered cybersecurity incident, it shall include at least on of the following
- Unauthorized access to an information system or network that leads to loss of confidentiality, integrity, or availability of such information system or network, or has a serious impact on the safety and resiliency of operational systems and processes.
- Disruption of business or industrial operations due to a denial of service attack, a ransomware attack, or exploitation of a zero-day vulnerability
- Unauthorized access or disruption of business or industrial operations due to loss of service facilitated through, or caused by a compromise of, a cloud service provider, managed service provider, other third-party data hosting provider, or supply chain attack.
This act provides authority to CISA to issue subpoenas. If a covered entity does not comply with a subpoena, the Director may bring a civil action in a district court of the United States to enforce such subpoena. The court may punish a failure to obey an order of the court to comply with the subpoena as a contempt of court.
Covered Entity organization’s next steps consideration & oppurtunties for managed security service providers
Although the Act’s reporting requirements will not become effective for some time, covered entity organizations with operations that relate to the PPD-21 critical infrastructure sectors should take steps now to ensure that they have systems in place to comply with the Act. Below diagram has recommendation steps for consideration.
- Whether they are likely to fall within the Act’s definition of covered entities subject to reporting requirements
- Processes to create timely reports in the event of a covered cyber incident or ransomware payment
- Capabilities to preserve and collect relevant data in the event of a cyber incident
- Consider how the reporting requirements of the Act might overlap with other disclosure obligations
Managed security service providers has opportunities to support covered entities to ensure adherence of this act. They’ve to focus developing service offerings, capabilities, market awareness, solution accelerators and more to fulfill this market need. Few recommendations have been depicted in the below diagram
According to ISG Index Q1 2022, the trends in cybersecurity made significant shift in how organizations source cyber security services. Cyber security functions viewed as specialty skills to enable business. Expanding use of multi-cloud, labor shortages, staggering volume of attacks on critical infrastructure, OT & IoT exposure to threats and human errors has accelerated potential business opportunities for managed security services. With CIRCIA regulations, managed service provides need to develop superior consulting and advisory services.