Page 24 - Cyber Defense eMagazine September 2022
P. 24

To date, CISA has not released specific information about the nature of cyberattacks to be reported, but
            the agency has indicated that it will expand the traditional definition of ‘critical infrastructure’ to include at
            a minimum 16 Critical Infrastructure Sectors defined in a 2013 Presidential Policy Directive:

               •  Chemical
               •  Commercial Facilities
               •  Communications
               •  Critical Manufacturing
               •  Dams
               •  Defense Industrial Base
               •  Emergency Services
               •  Energy
               •  Financial Services
               •  Food & Agriculture
               •  Government Facilities
               •  Healthcare and Public Health
               •  Information Technology
               •  Nuclear Reactors, Materials, and Waste
               •  Transportation Systems
               •  Water and Wastewater Systems


            To further define the industries covered, several sectors include subsectors. For example, the commercial
            facilities sector includes seven subsectors covering, among others, casinos, stadiums, retail centers, and
            malls under the rationale that they constitute “sites that draw large crowds of people,” but without defining
            what “large” is. Other sectors define covered activities instead of relying on subsectors.

            Together, the 16 Sectors represent a significant expansion of what was once considered critical. For
            instance, they cover the entire food supply chain from farms to restaurants and grocery stores, water and
            electric utilities, retail banking, and telecommunication networks, including internet access providers and
            cell phone networks. The law gives CISA wide latitude to expand the list of covered entities within and
            beyond the 16 Sectors, whether it is by adding new covered activities or subsectors to an existing Sector,
            or adding a new Sector altogether.

            Most medium and large businesses may want to review the list of Critical Infrastructure Sectors, publicly
            available  on  the  CISA’s  web  site.  While  many  covered  activities  and  terms  are  subject  to  further
            clarification, a review of CISA’s rational for labelling a sector as critical may help in determining the
            likelihood that a business will be required to report cyber incidents. To encourage disclosure and assuage
            concerns about releasing potentially sensitive business data, the law includes protections against legal
            liability and freedom of information requests for companies that report to CISA.

            Organizations that have implemented NIST or another Cyber Security Framework (CSF) should already
            have processes in place to triage and investigate security incidents, identify external stakeholders, and
            disseminate relevant information. Once CISA publishes details implementing the act, these organizations
            will need to update their existing processes to cover areas required under the new law that weren’t
            included in the original framework, including:




            Cyber Defense eMagazine – September 2022 Edition                                                                                                                                                                                                         24
            Copyright © 2022, Cyber Defense Magazine. All rights reserved worldwide.
   19   20   21   22   23   24   25   26   27   28   29