![](\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/11\/shields-ready-critical-infrastructure-initiative-addresses-inevitable-cyberattacks.png?w=640&ssl=1\")
<\/p>\n<\/p>\n
![](\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/11\/shields-ready-critical-infrastructure-initiative-addresses-inevitable-cyberattacks.jpg?w=640&ssl=1\")
<\/div>\nThe US government has issued a series of prescriptions for preparing critical infrastructure operators for disasters, physical attacks, and cyberattacks, with an emphasis on the ability to recover from disruptions in the future.<\/p>\n
The initiative, dubbed “Shields Ready,” aims to convince 16 identified critical infrastructure sectors to invest in hardening their systems and services against any disruption, no matter the source. The effort, spearheaded by both the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Emergency Management Agency (FEMA), assumes that attacks and disasters will happen and calls on critical infrastructure operators to prepare to keep services running.<\/p>\n
The interconnectedness of the 16 critical infrastructure sectors, and the supply chain on which they rely, means preparedness is critical, said Jen Easterly, director of CISA.<\/p>\n
“Our nation’s critical infrastructure entities \u2014 from schools to hospitals to water facilities \u2014 must have the tools and resources to respond to and recover from disruption,” she said in a statement<\/a>. “By taking steps today to prepare for incidents, critical infrastructure, communities and individuals can be better prepared to recover from the impact of the threats of tomorrow, and into the future.”<\/p>\n The dangers to critical infrastructure have increased in recent years, with disruptions caused by severe disasters \u2014 such as the wildfires in California and the coronavirus pandemic \u2014 and cyberattacks. In the past five years, for example, pharmaceutical firm Merck suffered a major outage<\/a> because of the NotPetya cyberattack in 2017, while this year competitor Pfizer suffered a tornado strike<\/a> on a major warehouse that caused disruptions to the supply of certain drugs. And famously, in May 2021, US pipeline operator Colonial Pipeline suffered a ransomware attack<\/a>, shutting down its services for a week, which led to gas shortages throughout the southeast United States.<\/p>\n A previous campaign, known as “Shields Up,” focused on convincing critical infrastructure organizations to take defensive actions in reaction to specific threat intelligence. Shields Ready is all about preparing for the worst across the board, says Michael Hamilton, co-founder and CISO of Critical Insight, a cybersecurity consultancy.<\/p>\n “The hidden message here is, it’s coming, and looking around the world, it’s not that hard to predict,” he says, pointing to regular FBI and CISA warnings to industrial control and critical infrastructure providers. “It’s not hard to put two and two together and say, you know the threat level has gone up for infrastructure disruption.”<\/p>\n A problem for the initiative is that many of the current recommendations are voluntary and informational. Since November has been designated “Critical Infrastructure Security and Resilience Month,” CISA published a toolkit<\/a> for critical infrastructure providers, a 15-page document covering specific threats, security challenges, and self-assessment exercises. The agency also published<\/a> the Infrastructure Resilience Planning Framework (IRPF) and guides on how to develop a resilient supply chain and how to respond to a cyberattack.<\/p>\n Still, the effort lacks regulatory teeth, says Tom Guarente, vice president of government affairs at Armis, an operational technology (OT) security firm.<\/p>\n “What it appears to really be about is building resilience in terms of starting with situational awareness, talking about the importance of sharing information between public and private sector entities,” he says. “They say there’s a toolkit, and but the toolkit appears to be made up mostly of guidelines \u2014 you know, PDF documents. So the short answer is, I don’t know what will come out of the Shields Ready campaign.”<\/p>\n Yet coming up with general guidelines under the umbrella of Shields Ready for all 16 critical infrastructure sectors is likely impossible, so it is unsurprising that the initial effort lacks details, says Danielle Jablanski, OT cybersecurity strategist at Nozomi Networks, a provider of cybersecurity for OT networks. Each critical infrastructure sector has a Sector Risk Management Agency<\/a> \u2014 typically the Department of Homeland Security, but in some cases the Department of Energy, Defense, Health and Human Services, or Transportation is the designated SRMA \u2014 that will make sector-specific guidelines and requirements.<\/p>\n “I think the government is more in an audit mode today,” she says. “It\u2019s important to remember that critical infrastructure is not monolithic, there\u2019s no one-size-fits-all security plan, program, or set of controls that benefits all 16 sectors the same.”<\/p>\n Those efforts, for the most part, appear to take a light touch toward getting industry executives on board. Because security continues to be a cost center \u2014 the tax of doing business \u2014 companies naturally want to minimize those expenditures, which is why punitive action will likely be necessary to get many of the recommendations implemented, says Critical Insight’s Hamilton.<\/p>\n Holding executives liable for their company’s performance during a disaster or a cyberattack \u2014 such as the charges against the CISO of SolarWinds<\/a> \u2014 has already been a rude awakening for the industry, he says.<\/p>\n “Having briefed senators, generals, and governors, I’ve found that you can talk about scary Russians, supply chains, buffer overflows, and SQL injection all you want, and you’re just gonna get eye-rolling,” Hamilton says. “But as soon as you say ‘executive negligence,’ you have an audience. That’s exactly what the government is doing \u2014 they are going to hold executive leadership as negligent and that’s getting everybody’s attention.”<\/p>\n Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":" The US government has issued a series of prescriptions for<\/p>\n","protected":false},"author":12,"featured_media":2035,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[809],"class_list":["post-2034","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-dark-reading"],"featured_image_urls":{"full":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/11\/shields-ready-critical-infrastructure-initiative-addresses-inevitable-cyberattacks.png?fit=163%2C163&ssl=1",163,163,false],"thumbnail":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/11\/shields-ready-critical-infrastructure-initiative-addresses-inevitable-cyberattacks.png?resize=150%2C150&ssl=1",150,150,true],"medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/11\/shields-ready-critical-infrastructure-initiative-addresses-inevitable-cyberattacks.png?fit=163%2C163&ssl=1",163,163,true],"medium_large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/11\/shields-ready-critical-infrastructure-initiative-addresses-inevitable-cyberattacks.png?fit=163%2C163&ssl=1",163,163,true],"large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/11\/shields-ready-critical-infrastructure-initiative-addresses-inevitable-cyberattacks.png?fit=163%2C163&ssl=1",163,163,true],"1536x1536":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/11\/shields-ready-critical-infrastructure-initiative-addresses-inevitable-cyberattacks.png?fit=163%2C163&ssl=1",163,163,true],"2048x2048":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/11\/shields-ready-critical-infrastructure-initiative-addresses-inevitable-cyberattacks.png?fit=163%2C163&ssl=1",163,163,true],"chromenews-featured":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/11\/shields-ready-critical-infrastructure-initiative-addresses-inevitable-cyberattacks.png?fit=163%2C163&ssl=1",163,163,true],"chromenews-large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/11\/shields-ready-critical-infrastructure-initiative-addresses-inevitable-cyberattacks.png?resize=163%2C163&ssl=1",163,163,true],"chromenews-medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/11\/shields-ready-critical-infrastructure-initiative-addresses-inevitable-cyberattacks.png?resize=163%2C163&ssl=1",163,163,true]},"author_info":{"display_name":"Dark Reading","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/darkreading\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/11\/shields-ready-critical-infrastructure-initiative-addresses-inevitable-cyberattacks.png?fit=163%2C163&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2034","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=2034"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2034\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media\/2035"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=2034"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=2034"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=2034"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Policy Initiatives for Shields Ready<\/h2>\n
Encouraging Critical Infrastructure Safety: Carrot or Stick?<\/h2>\n