Cybersecurity: Critical Infrastructure Authoritative Reports and Resources

Critical infrastructure is defined in the USA PATRIOT Act (P.L. 107-56, §1016(e)) as “systems and assets, physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health and safety, or any combination of those matters.”

Presidential Decision Directive 63, or PDD-63, identified activities whose critical infrastructures should be protected: information and communications; banking and finance; water supply; aviation, highways, mass transit, pipelines, rail, and waterborne commerce; emergency and law enforcement services; emergency, fire, and continuity of government services; public health services; electric power, oil and gas production; and storage. In addition, the PDD identified four activities in which the federal government controls the critical infrastructure: (1) internal security and federal law enforcement; (2) foreign intelligence; (3) foreign affairs; and (4) national defense.

In February 2013, the Obama Administration issued PPD-21, Critical Infrastructure Security and Resilience, which superseded HSPD-7 issued during the George W. Bush Administration. PPD-21 made no major changes in policy, roles and responsibilities, or programs, but did order an evaluation of the existing public-private partnership model, the identification of baseline data and system requirements for efficient information exchange, and the development of a situational awareness capability. PPD-21 also called for an update of the National Infrastructure Protection Plan, and a new Research and Development Plan for Critical Infrastructure, to be updated every four years.

The following CRS reports comprise a series that compiles authoritative reports and resources on cybersecurity:

CRS Report R44405, Cybersecurity: Overview Reports and Links to Government, News, and Related Resources, by Rita Tehan

CRS Report R44406, Cybersecurity: Education, Training, and R&D Authoritative Reports and Resources, by Rita Tehan

CRS Report R44408, Cybersecurity: Cybercrime and National Security Authoritative Reports and Resources, by Rita Tehan

CRS Report R43317, Cybersecurity: Legislation, Hearings, and Executive Branch Documents, by Rita Tehan

CRS Report R43310, Cybersecurity: Data, Statistics, and Glossaries, by Rita Tehan

CRS Report R44417, Cybersecurity: State, Local, and International Authoritative Reports and Resources, by Rita Tehan

Cybersecurity: Critical Infrastructure Authoritative Reports and Resources

Updated November 30, 2018 (R44410)
Jump to Main Text of Report

Summary

Critical infrastructure is defined in the USA PATRIOT Act (P.L. 107-56, §1016(e)) as "systems and assets, physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health and safety, or any combination of those matters."

Presidential Decision Directive 63, or PDD-63, identified activities whose critical infrastructures should be protected: information and communications; banking and finance; water supply; aviation, highways, mass transit, pipelines, rail, and waterborne commerce; emergency and law enforcement services; emergency, fire, and continuity of government services; public health services; electric power, oil and gas production; and storage. In addition, the PDD identified four activities in which the federal government controls the critical infrastructure: (1) internal security and federal law enforcement; (2) foreign intelligence; (3) foreign affairs; and (4) national defense.

In February 2013, the Obama Administration issued PPD-21, Critical Infrastructure Security and Resilience, which superseded HSPD-7 issued during the George W. Bush Administration. PPD-21 made no major changes in policy, roles and responsibilities, or programs, but did order an evaluation of the existing public-private partnership model, the identification of baseline data and system requirements for efficient information exchange, and the development of a situational awareness capability. PPD-21 also called for an update of the National Infrastructure Protection Plan, and a new Research and Development Plan for Critical Infrastructure, to be updated every four years.

The following CRS reports comprise a series that compiles authoritative reports and resources on cybersecurity:


Introduction

Critical infrastructure is defined in the USA PATRIOT Act (P.L. 107-56, §1016(e)), signed October 26, 2001, as "systems and assets, physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health and safety, or any combination of those matters."1

Presidential Decision Directive 63 (or PDD-63), signed May 22, 1998, identified activities whose critical infrastructures should be protected:

  • information and communications;
  • banking and finance;
  • water supply;
  • aviation, highways, mass transit, pipelines, rail, and waterborne commerce;
  • emergency and law enforcement services;
  • emergency, fire, and continuity of government services;
  • public health services;
  • electric power, oil and gas production; and
  • storage.

In addition, PDD-63 identified four activities in which the federal government controls the critical infrastructure: (1) internal security and federal law enforcement; (2) foreign intelligence; (3) foreign affairs; and (4) national defense.

In February 2013, the Obama Administration issued PPD-21, Critical Infrastructure Security and Resilience,2 which superseded HSPD-7 issued during the George W. Bush Administration. PPD-21 made no major changes in policy, roles and responsibilities, or programs, but did order an evaluation of the existing public-private partnership model, the identification of baseline data and system requirements for efficient information exchange, and the development of a situational awareness capability. PPD-21 also called for an update of the National Infrastructure Protection Plan and a new Research and Development Plan for Critical Infrastructure, to be updated every four years.

This report serves as a starting point for congressional staff assigned to cover cybersecurity issues as they relate to critical infrastructure. Much is written about protecting U.S. critical infrastructure, and this CRS report directs the reader to authoritative sources that address many of the most prominent issues. The annotated descriptions of these sources are listed in reverse chronological order with an emphasis on material published in the last several years. This report includes resources and studies from government agencies (federal, state, local, and international), think tanks, academic institutions, news organizations, and other sources related to the following sectors:

  • Table 1, overview reports and resources;
  • Table 2, energy, including electrical grid, smart grid, SCADA, and industrial control systems;
  • Table 3, financial industry, including banks, insurance, SEC guidance, FFIEC, FDIC, FSOC, and IRS;
  • Table 4, health, including Healthcare.gov, health insurance, Medicaid, and medical devices;
  • Table 5, telecommunications and communications, including wired, wireless, Internet service providers, GPS, undersea cables, and public safety broadband network;
  • Table 6, transportation, including Coast Guard, air traffic control, ports and maritime, and automobiles; and
  • Table 7, other critical infrastructure sectors not listed above.

Table 1. Overview Reports and Resources

Title

Source

Date

Notes

Critical Infrastructure Sectors (list)

Department of Homeland Security (DHS)

Continuously Updated

There are 16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof. The critical infrastructure sectors are chemical; commercial facilities; communications; critical manufacturing; dams; defense industrial base; emergency services; energy; financial services; food and agriculture; government facilities; health care and public health; information technology; nuclear reactors, materials, and waste; transportation; and water and wastewater systems.

National Council of ISACs

Information Sharing and Analysis Centers (ISAC)

Continuously Updated

The mission of the National Council of ISACs (NCI) is to advance the physical and cybersecurity of the critical infrastructures of North America by establishing and maintaining a framework for valuable interaction between and among the ISACs and with government. Members of the Council are the individual Information Sharing and Analysis Centers (ISAC) that represent their respective sectors.

National Risk Management Center Fact Sheet

DHS

August 28, 2018

DHS is establishing a joint center to provide a centralized home for collaborative, sector-specific and cross-sector risk management efforts to better protect critical infrastructure.

Managing a Cyber Attack on Critical Infrastructure: Challenges of Federal, State, Local, and Private Sector Collaboration

Intelligence and National Security Alliance

August 1, 2018

On November 8, 2017, the Domestic Security Council and the Cyber Council of the Intelligence and National Security Alliance (INSA) organized a tabletop exercise (TTX) to examine the effectiveness of mechanisms to respond to and recover from a cyber attack on critical infrastructure. The TTX was intended to generate lessons and recommendations for improving responses to cyber attacks that affect multiple critical infrastructures, with an emphasis on the energy and transportation sectors.

Foreign Economic Espionage in Cyberspace

Office of the Director of National Intelligence (ODNI)

July 24, 2018

In the 2011 report to Congress on Foreign Spies Stealing U.S. Economic Secrets in Cyberspace, the Office of the National Counterintelligence Executive provided a baseline assessment of the many dangers facing the U.S. research, development, and manufacturing sectors when operating in cyberspace, the pervasive threats posed by foreign intelligence services and other threat actors, and the industries and technologies most likely at risk of espionage. The 2018 report provides additional insight into the most pervasive nation-state threats, and it includes a detailed breakout of the industrial sectors and technologies judged to be of highest interest to threat actors. It also discusses several potentially disruptive threat trends that warrant close attention.

Framework for Improving Critical Infrastructure Cybersecurity

National Institute of Standards and Technology (NIST)

April 16, 2018

The voluntary framework consists of customizable cybersecurity standards that can be adapted by various sectors and both large and small organizations. To encourage the private sector to fully adopt this framework, DHS launched the Critical Infrastructure Cyber Community (C3)—or C-cubed—Voluntary Program. The C3 program gives companies that provide critical services, such as cell phones, email, banking, and energy, and state and local governments direct access to cybersecurity experts within DHS who have knowledge about specific threats, instruction in ways to counter those threats, and how, over the long term, to design and build systems that are less vulnerable to cyber threats. (41 pages)

Critical Infrastructure Protection: Additional Actions Are Essential for Assessing Cybersecurity Framework Adoption

Government Accountability Office (GAO)

February 15, 2018

Most of the 16 critical infrastructure sectors took action to facilitate adoption of NIST's Cybersecurity Framework.  GAO is making nine recommendations that methods be developed for determining framework adoption by the sector-specific agencies across their respective sectors, in consultation with their respective sector partner(s), such as the sector coordinating councils, the Department of Homeland Security, and NIST, as appropriate.

ICS-CERT Monitor Newsletters

Industrial Control Systems Cyber Emergency Response Team (ICS/CERT) Monitor

Last updated December 2017

ICS-CERT publishes the Monitor Newsletter when an adequate amount of pertinent information has been collected. The newsletter is a service to personnel actively engaged in the protection of critical infrastructure assets.

Future Focus Study: Strengthening the NIAC Study Process

National Infrastructure Advisory Council (NIAC)

September 2017

NIAC studies potential risks for critical infrastructure, both in the real world and in cyberspace. The 15-year-old group is also charged with recommending solutions to reduce risks to infrastructure. NIAC found that its mission and operations are not well understood by stakeholders and policymakers, that its recommendations do not always reach the target audience, that customers would appreciate interim findings as studies progress and that its final reports "may be too dense for easy use" by NIAC stakeholders.

Securing Cyber Assets: Addressing Urgent Cyber Threats to Critical Infrastructure

NIAC

August 22, 2017

The report says that threat information-sharing programs are hindered by intelligence being classified and clearances being too difficult to obtain. Other federal critical infrastructure programs are fragmented across multiple agencies, making it difficult for private-sector infrastructure firms to navigate. The report makes several recommendations, including rapidly declassifying intelligence and streamlining the federal bureaucracy. It also suggests implementing market-based incentives to improve cybersecurity, bolstering the workforce with a public-private expert exchange program and hardening communications systems to use in case of emergency. (45 pages)

ICS-CERT Assessment Activity for May/June 2017

ICS-CERT Monitor

May/June 2017

Reports on the number of visits federal cybersecurity experts have made to critical infrastructure providers. [See page 5] Compared with last year, the overall number of visits federal cybersecurity experts have made to critical infrastructure providers is up significantly, according to DHS' cybersecurity response team records. Industrial Control System-Computer Emergency Response Teams (ICS-CERT) made a total of 35 onsite cybersecurity assessments across the 16 critical infrastructure sectors between May and June of 2017, according to the organization's bimonthly newsletter on its activities.

Keeping America Safe: Toward More Secure Networks for Critical Sectors

Massachusetts Institute of Technology. Center for International Studies

March 2017

The digital systems that control critical infrastructure in the United States and most other countries are easily penetrated and architecturally weak, and this has been known for a long time. Much effort has been devoted to developing better security standards, but most standards are merely advisory. Key federal departments, notably but not exclusively, Homeland Security, Defense, and Energy have devoted significant effort to improving infrastructure security, but these efforts have not altered the strategic balance. (49 pages)

Mapping the Global Legal Landscape of Blockchain Technologies

Max Planck Institute for Comparative Public Law & International Law; Centre for International Governance Innovation

February 14, 2017

Blockchain technologies are beginning to push a broad array of global economic activities away from centralized and toward decentralized market structures. Governments should tackle the new regulatory conundrums of an increasingly disintermediated global economy by focusing on blockchain's individual use cases rather than its underlying enabling technologies. Grouping the known use cases around common characteristics reveals three broad categories of blockchain/law interfaces: the green box, the dark box, and the sandbox. Each raises distinctive legal, regulatory, and policy challenges deserving of separate analysis. (15 pages)

Critical Infrastructure Protection: DHS Has Made Progress in Enhancing Critical Infrastructure Assessments but Additional Improvements are Needed

GAO

July 12, 2016

This testimony summarizes past GAO findings on progress made and improvements needed in DHS's vulnerability assessments, such as addressing potential duplication and gaps in these efforts. (21 pages)

Critical Infrastructure Protection: DHS Action Needed to Enhance Integration and Coordination of Vulnerability Assessment Efforts

GAO

September 15, 2014

DHS used 10 different assessment tools and methods from FY2011 through FY2013 to assess critical infrastructure vulnerabilities. Four of the 10 assessments did not include cybersecurity. The differences in the assessment tools and methods mean DHS is not positioned to integrate its findings in identifying priorities. (82 pages)

Actions to Strengthen Cybersecurity and Protect Critical IT Systems

Office of Personnel Management (OPM)

June 24, 2015

OPM lists 15 new steps and 23 ongoing actions to secure its computer networks. The agency plans to ask for additional funds for its IT budget next fiscal year. (8 pages)

Critical Infrastructure: Security Preparedness and Maturity

Unisys and the Ponemon Institute

July 2014

Unisys and the Ponemon Institute surveyed nearly 600 IT security executives of utility, energy, and manufacturing organizations. Overall, the report finds organizations are simply not prepared to deal with advanced cyber threats. Only half of companies have actually deployed IT security programs and, according to the survey, the top threat actually stems from negligent insiders. (34 pages)

Implementation Status of the Enhanced Cybersecurity Services Program

DHS Office of Inspector General

July 2014

The National Protection Programs Directorate (NPPD) has made progress in expanding the Enhanced Cybersecurity Services program. As of May 2014, 40 critical infrastructure entities were participating in and 22 companies had signed memorandums of agreement to join the program. Although NPPD has made progress, the Enhanced Cybersecurity Services program has been slow to expand because of limited outreach and resources. In addition, cyber threat information sharing relies on NPPD's manual reviews and analysis, which has led to inconsistent cyber threat indicator quality. (23 pages)

Sector Risks Snapshots

DHS

May 2014

DHS's snapshots provide an introduction to the diverse array of critical infrastructure sectors, touching on some of the key threats and hazards concerning these sectors and highlighting the common, first-order dependencies and interdependencies between sectors. (52 pages)

Notice of Completion of Notification of Cyber-Dependent Infrastructure and Process for Requesting Reconsideration of Determinations of Cyber Criticality

DHS Programs Directorate

April 17, 2014

The Secretary of DHS has been directed to identify critical infrastructure in which a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security. In addition to identifying such infrastructure, the Secretary must confidentially notify the infrastructure's owners and operators and establish a mechanism through which entities can request reconsideration of that identification, whether inclusion of or exclusion from the critical infrastructure list. The notice informs owners and operators of critical infrastructure that the confidential notification process is complete and describes the process for requesting reconsideration. (3 pages)

The Federal Government's Track Record on Cybersecurity and Critical Infrastructure

Senate Homeland Security and Governmental Affairs Committee (Minority Staff)

February 4, 2014

Since 2006, the federal government has spent at least $65 billion on securing its computers and networks, according to an estimate by the Congressional Research Service (CRS). NIST, the government's official body for setting cybersecurity standards, has produced thousands of pages of precise guidance on every significant aspect of IT security. Yet the Senate report found that agencies—even those with responsibilities for critical infrastructure or vast repositories of sensitive data—continue to leave themselves vulnerable, often by failing to take the most basic steps toward securing their systems and information. (19 pages)

Computer Security Incident Coordination (CSIC): Providing Timely Cyber Incident Response

NIST

June 28, 2013

NIST is seeking information relating to CSIC as part of the research needed to compile a new supplemental publication to help computer security incident response teams (CSIRTs) coordinate effectively when responding to computer-security incidents. The NIST special publication will identify technical standards, methodologies, procedures, and processes that facilitate prompt and effective response. (3 pages)

Cybersecurity: The Nation's Greatest Threat to Critical Infrastructure

U.S. Army War College

March 2013

The paper provides a background on what constitutes national critical infrastructure and critical infrastructure protection; discusses the immense vulnerabilities, threats, and risks associated in the protection of critical infrastructure; and outlines governance and responsibilities of protecting vulnerable infrastructure. The paper makes recommendations for federal responsibilities and legislation to direct national critical infrastructure efforts to ensure national security, public safety, and economic stability. (38 pages)

NIPP 2013: Partnering for Critical Infrastructure Security and Resilience

DHS

2013

The National Infrastructure Protection Plan (NIPP) 2013 meets the requirements of Presidential Policy Directive-21, "Critical Infrastructure Security and Resilience," signed in February 2013. The plan was developed through a collaborative process involving stakeholders from all 16 critical infrastructure sectors, all 50 states, and all levels of government and industry. It provides a clear call to action to leverage partnerships, innovate for risk management, and focus on outcomes. (57 pages)

Critical Infrastructure Protection: Cybersecurity Guidance Is Available, but More Can Be Done to Promote Its Use

GAO

December 9, 2011

According to GAO, given the plethora of cybersecurity guidance available, individual entities within the sectors may be challenged in identifying the guidance that is most applicable and effective in improving their security posture. Improved knowledge of the available guidance could help both federal and private-sector decision makers better coordinate their efforts to protect critical cyber-reliant assets. (77 pages)

Continued Attention Needed to Protect Our Nation's Critical Infrastructure

GAO

July 26, 2011

A number of significant challenges remain to enhancing the security of cyber-reliant critical infrastructures, such as (1) implementing actions recommended by the President's cybersecurity policy review; (2) updating the national strategy for securing the information and communications infrastructure; (3) reassessing DHS's planning approach to critical infrastructure protection; (4) strengthening public-private partnerships, particularly for information sharing; (5) enhancing the national capability for cyber warning and analysis; (6) addressing global aspects of cybersecurity and governance; and (7) securing the modernized electricity grid. (20 pages)

Cybersecurity: Continued Attention Needed to Protect Our Nation's Critical Infrastructure and Federal Information Systems

GAO

March 16, 2011

According to GAO, executive branch agencies have made progress instituting several government-wide initiatives aimed at bolstering aspects of federal cybersecurity, such as reducing the number of federal access points to the Internet, establishing security configurations for desktop computers, and enhancing situational awareness of cyber events. Despite these efforts, the federal government continues to face significant challenges in protecting the nation's cyber-reliant critical infrastructure and federal information systems. (17 pages)

Partnership for Cybersecurity Innovation

White House Office of Science and Technology Policy

December 6, 2010

The Obama Administration released a memorandum of understanding signed by DOC's NIST, DHS's Science and Technology Directorate (DHS/S&T), and the Financial Services Sector Coordinating Council (FSSCC). The goal of the agreement is to speed up the commercialization of cybersecurity research innovations that support the nation's critical infrastructures. (4 pages)

Critical Infrastructure Protection: Key Private and Public Cyber Expectations Need to Be Consistently Addressed

GAO

July 15, 2010

Private-sector stakeholders reported that they expect their federal partners to provide usable, timely, and actionable cyber threat information and alerts; access to sensitive or classified information; a secure mechanism for sharing information; security clearances; and a single centralized government cybersecurity organization to coordinate government efforts. However, according to private-sector stakeholders, federal partners are not consistently meeting these expectations. (38 pages)

Source: Highlights compiled by CRS from the reports.

Note: Page counts are documents; other cited resources are web pages.

Table 2. Energy Sector

(includes electrical grid, smart grid, SCADA, and industrial control systems)

Title

Source

Date

Notes

Cybersecurity for Energy Delivery Systems Program (CEDS)

Department of Energy (DOE), Office of Electricity Delivery and Energy Reliability

Continuously Updated

The program assists the energy-sector asset owners (electric, oil, and gas) by developing cybersecurity solutions for energy delivery systems through integrated planning and a focused research and development effort. CEDS co-funds projects with industry partners to make advances in cybersecurity capabilities for energy delivery systems.

Cybersecurity Capability Maturity Model (C2M2)

DOE Office of Electricity Delivery and Energy Reliability

Continuously Updated

The model was developed by the DOE and industry as a cybersecurity control evaluation and improvement management tool for energy sector firms. It tells adherents how to assess and grade adoption of cybersecurity practices.

GridEx

North American Electric Reliability Corporation (NERC) 

Continuously Updated

The objectives of the NERC Grid Security Exercise (GridEx) series are to use simulated scenarios (with no real-world effects) to exercise the current readiness of participating electricity subsector entities to respond to cyber or physical security incidents and provide input for security program improvements to the bulk power system. GridEx is a biennial international grid security exercise that uses best practices and other contributions from DHS, the Federal Emergency Management Agency (FEMA), and NIST.

Critical Electric Infrastructure Information; New Administrative Procedures

DOE

October 29, 2018

A proposed rule for public comment to implement DOE's critical electric infrastructure information (CEII) designation authority under the Federal Power Act. The proposed administrative procedures are intended to ensure that stakeholders and the public understand how the department would designate, protect, and share CEII under the Federal Power Act.

Potential Electric Grid Vulnerability from Cyber Enabled Foreign Actors: A Risk Assessment Study of Solar Inverter Technology

Ridge Global

October 29, 2018

With the growth of internet-connected solar power systems across the United States comes a greater risk of cybersecurity attacks on the electric grid. The biggest potential problem is that a cyberhacker could access thousands of solar electricity system inverters and shut down the electricity provided to the grid.

Supply Chain Risk Management Reliability Standards

DOE

October 26, 2018

The final rule is aimed at tightening cybersecurity regulations for equipment and software used to operate electric grid infrastructure. It expands the scope of the systems that are subject to new supply chain risk management standards, and it will extend to Electronic Access Control and Monitoring Systems, which include technologies such as firewalls, authentication services, and alerting systems.

Evaluation Report: Department of Energy's Unclassified Cybersecurity Program 

DOE – Office of Inspector General

October 19, 2018

Although improvements were made since last year's report, the inspector general found that some of the department's offices were lagging in implementing key protections to keep computer systems and web programs safe from potential vulnerabilities. 

DOE Award Selections for the Research, Development, and Demonstration of Next-Generation Cybersecurity Tools and Technologies for Critical Energy Infrastructure

DOE

October 1, 2018

DOE awards up to $28 million to support the research, development, and demonstration (RD&D) of tools and technologies to improve the cybersecurity and resilience of the nation's energy critical infrastructure, including the electric grid and oil and natural gas infrastructure. Almost all the projects involve a collaboration between a DOE national lab, a university, and a power company.

Resilience for Grid Security Emergencies: Opportunities for Industry-Government Collaboration

Johns Hopkins University Applied Physics Laboratory

September 1, 2018

The report highlights the phases that grid security emergencies are likely to entail. It analyzes the requirements that emergency orders must meet for each phase, and how orders can supplement existing utility plans and capabilities to fill gaps in grid resilience. The report also examines how emergency orders can strengthen deterrence against grid attacks and help defeat adversaries, if deterrence fails.

Cyber Security Programs for Nuclear Power Reactors

Nuclear Regulatory Commission (NRC)

August 23, 2018

The NRC is issuing for public comment Draft Regulatory Guide (DG) DG-5061, "Cyber Security Programs for Nuclear Power Reactors." The revision incorporates lessons learned from operating experience since the original publication of the guide. Specifically, it clarifies issues identified from interim cybersecurity milestone inspections, provides additional insights gained through the Security Frequently Asked Questions (SFAQs) process, and documents cybersecurity attacks, new technologies, and new regulations.

Cyber Security Incident Reporting Reliability Standards

Federal Energy Regulatory Commission (FERC)

July 31, 2018

FERC directs the North American Electric Reliability Corporation (NERC) to develop and submit modifications to the NERC Reliability Standards to augment the mandatory reporting of Cyber Security Incidents, including incidents that might facilitate subsequent efforts to harm the reliable operation of the bulk electric system (BES).

Evaluation of the U.S. Department of the Interior's Cybersecurity Practices for Protecting Critical Infrastructure [Redacted]

Department of Interior (DOI)

July 1, 2018

In a partially redacted memo, Jefferson Gilkeson, director of information technology audits for Interior OIG, informed the commissioner of the U.S. Bureau of Reclamation (USBR) that auditors have completed the second and final part of their report evaluating potential cybersecurity weaknesses associated with five hydroelectric dams managed and operated by the bureau. The memo indicated that auditors were satisfied that there were not any additional security vulnerabilities associated with the system, noting that a review of network traffic and key computers failed to turn up any evidence of anomalies or indicators of compromise.

U.S. Bureau of Reclamation Selected Hydropower Dams at Increase Risk from Insider Threats

DOI

June 11, 2018

The review of critical hydroelectric dams showed little risk of hackers breaching the advanced industrial control systems, or ICS, that operate the dams. However, investigators found significant weaknesses in the management of employee access, making the dams highly vulnerable to insider threats.

Section 2(e): Assessment of Electricity Disruption Incident Response Capabilities

DHS and DOE

May 26, 2018

Although the country "… in general, is well prepared to manage most electricity disruptions," there are gaps that are preventing some stakeholders from improving their ability to respond effectively to major cyber events that target the grid. The problems include a lack of adequate information sharing between the government and the private sector; a lack of clarity about the roles specific organizations play in incident response; inadequate efforts to address electric sector supply chain security issues; and an insufficient work force.

Revised Critical Infrastructure Protection Reliability Standard CIP-003-7-Cyber Security-Security Management Controls

FERC

April 25, 2018

FERC approves Critical Infrastructure Protection (CIP) Reliability Standard CIP-003-7 (Cyber Security—Security Management Controls), submitted by the North American Electric Reliability Corporation (NERC). Reliability Standard CIP-003-7 clarifies the obligations pertaining to electronic access control for low impact BES Cyber Systems; requires mandatory security controls for transient electronic devices (e.g., thumb drives, laptop computers, and other portable devices frequently connected to and disconnected from systems) used at low impact BES Cyber Systems; and requires responsible entities to have a policy for declaring and responding to CIP Exceptional Circumstances related to low impact BES Cyber Systems. In addition, the commission directs NERC to develop modifications to the CIP Reliability Standards to mitigate the risk of malicious code that could result from third-party transient electronic devices.

Multiyear Plan for Energy Sector Cybersecurity

DOE

March 1, 2018

The report lays out an integrated strategy to reduce cyber risks in the U.S. energy sector by pursuing high-priority activities that are coordinated with other DOE offices, and with the strategies, plans, and activities of the federal government and the energy sector.

Cybersecurity in the Energy Sector: A Comparative Analysis Between Europe and the United States

French Institute of International Relations (IFRI)

February1, 2018

It is essential to enhance transatlantic cooperation in order to allow the EU and the United States to learn from one another's cybersecurity frameworks. Thus, in spite of current differences between the EU and the United States on many issues, cybersecurity represents one area where there exists a real opportunity to deepen transatlantic cooperation in the years to come.

Supply Chain Risk Management Reliability Standards

FERC

January 25, 2018

In Order No. 829, the commission directed NERC to develop a new or modified Reliability Standard that addresses supply chain risk management for industrial control system hardware, software, and computing and networking services associated with bulk electric system operations. FERC proposes to approve supply chain risk management Reliability Standards CIP–013–1 (Cyber Security—Supply Chain Risk Management), CIP–005–6 (Cyber Security—Electronic Security Perimeter(s)) and CIP–010–3 (Cyber Security—Configuration Change Management and Vulnerability Assessments). In addition, the commission proposes that NERC develop and submit certain modifications to the supply chain risk management Reliability Standards.

Mandatory Reliability Standards: Revised Critical Infrastructure Protection Reliability Standard CIP-003-7 Cyber Security Management Controls

FERC

October 27, 2017

FERC proposes to approve Critical Infrastructure Protection (CIP) Reliability Standard CIP-003-7 (Cyber Security—Security Management Controls), submitted by the North American Electric Reliability Corporation (NERC). The standard improves upon the current commission-approved CIP Reliability Standards by clarifying the obligations pertaining to electronic access control for low impact BES Cyber Systems; adopting mandatory security controls for transient electronic devices (e.g., thumb drives, laptop computers, and other portable devices frequently connected to and disconnected from systems) used at low impact BES Cyber Systems; and requiring responsible entities to have a policy for declaring and responding to CIP Exceptional Circumstances related to low impact BES Cyber Systems. In addition, the commission proposes to direct NERC to develop certain modifications to the NERC Reliability Standards to provide clear, objective criteria for electronic access controls for low impact BES Cyber Systems; and address the need to mitigate the risk of malicious code that could result from third-party transient electronic devices. (9 pages)

Dragonfly: Western Energy Sector Targeted by Sophisticated Attack Group

Symantec

October 20, 2017

According to the report, intruders gained access to power grid system in the United States. The group responsible for the attacks is known as Dragonfly. The group has been active since at least 2011. In the recent string of attacks, Dragonfly appears to have gained operational access to some systems, meaning they could have caused power outages.

How Power Grid Hacks Work, and When You Should Panic

Wired

October 13, 2017

Of the hundreds of well-funded hacker groups that [security firm] Dragos tracks globally, [CEO and founder Rob] Lee says that roughly 50 have targeted companies with industrial control systems. Of those, Dragos has found only six or seven groups that have reached into companies' so-called operations network—the actual controls of physical infrastructure. And even among those cases, Lee says, only two such groups have been known to actually trigger real physical disruption: the Equation Group, believed to be the NSA team that used the Stuxnet malware to destroy Iranian nuclear enrichment centrifuges, and the Sandworm team behind the blackouts in Ukraine.

Enhancing the Resilience of the Nation's Electricity System

National Academies Press

July 2017

The book focuses on identifying, developing, and implementing strategies to increase the power system's resilience in the face of events that can cause large-area, long-duration outages: blackouts that extend over multiple service areas and last several days or longer. Resilience is not just about lessening the likelihood that these outages will occur. It is also about limiting the scope and impact of outages when they do occur, restoring power rapidly afterwards, and learning from these experiences to better deal with events in the future. (171 pages)

Protecting the Connected Barrels—Cybersecurity for Upstream Oil and Gas

Deloitte

June 26, 2017

Three out of four oil and natural gas companies fell victim to at least one cyberattack last year as hacking efforts against the industry become more frequent and sophisticated. At the same time, older equipment that must be retrofitted for cybersecurity, including the pumps known as nodding donkeys, make it tougher to defend against sophisticated attacks. Less than half of drillers use any monitoring tools on their upstream operations networks, the report found. Of those, only 14% have fully operational security monitoring centers.

Crash Override: Analysis of the Threat to Electric Grid Operations

Dragos

June 12, 2017

The report serves as an industry report to inform the electric sector and security community of the potential implications of the Crash Override malware (designed and deployed to attack electric grids) and the appropriate details to have a nuanced discussion. The malware is known to have disrupted only one energy system in Ukraine in December, but with modifications, it could be deployed against U.S. electric transmission and distribution systems to devastating effect. (35 pages)

Liberty Eclipse Energy-Energy Assurance Exercise & Event, Dec 8-9, 2016

DOE Infrastructure Security & Energy Restoration

April 18, 2017

The results of the "Liberty Eclipse" energy assurance exercise in December are catalogued in a DOE-released report, which offers a series of recommendations for the federal government to improve its work to protect the electric grid and other energy infrastructure. The exercise tested how state and emergency management officials would respond to a cyber incident that took out power across seven states in the Northeast and mid-Atlantic regions, affecting 16.7 million customers and components of critical infrastructure. (25 pages)

Cyberattack on the U.S. Power Grid

Council on Foreign Relations

April 2017

An adversary with the capability to exploit vulnerabilities within the U.S. power grid might be motivated to carry out such an attack under a variety of circumstances. An attack on the power grid could be part of a coordinated military action, intended as a signaling mechanism during a crisis, or as a punitive measure in response to U.S. actions in some other arena. In either case, the United States should consider not only the potential damage and disruption caused by a cyberattack but also its broader effects on U.S. actions at the time it occurs. (11 pages)

Transforming the Nation's Electricity System the Second Installment of the Quadrennial Energy Review

DOE

January 6, 2017

Cybersecurity threats are central to the report, which explores the benefits and risks of the increasing integration between technology and the electric grid. The DOE report makes more than 70 recommendations to policymakers, including declaring that the electric grid is a national security asset and deserves that heightened level of protection, boosting federal support to state efforts to reduce electricity demand, and providing grants for small utilities to increase grid security. (490 pages)

Federal Efforts to Enhance Grid Resilience

GAO

January 2017

Since 2013, DOE, DHS, and FERC reported implementing 27 grid resiliency efforts and identified a variety of results from these efforts. The efforts addressed a range of threats and hazards—including cyberattacks, physical attacks, and natural disasters—and supported different types of activities. These efforts also addressed each of the three federal priorities for enhancing the security and resilience of the electricity grid: (1) developing and deploying tools and technologies to enhance awareness of potential disruptions, (2) planning and exercising coordinated responses to disruptive events, and (3) ensuring actionable intelligence on threats is communicated between government and industry in a time-sensitive manner. (53 pages)

Grid Security Emergency Orders: Procedures for Issuance

DOE

December 7, 2016

DOE is proposing to issue procedural regulations concerning the Secretary of Energy's issuance of an emergency order following the President's declaration of a Grid Security Emergency, under the Federal Power Act, as amended. New Section 215A(b) authorizes the Secretary to order emergency measures after the President declares a grid security emergency. A grid security emergency could result from a physical attack, a cyber-attack using electronic communication or an electromagnetic pulse (EMP), or a geomagnetic storm event, damaging certain electricity infrastructure assets and impairing the reliability of the nation's power grid. (8 pages)

Outpacing Cyber Threats: Priorities for Cybersecurity at Nuclear Facilities

SANS Institute and Nuclear Threat Initiative

December 2016

A paper prepared for the 2016 IAEA International Conference on Nuclear Security examines the growing cyber threat to nuclear facilities and provides priorities for governments and industry for protecting nuclear facilities from cyberattacks. (11 pages)

Joint United States-Canada Electric Grid Security and Resilience Strategy

U.S. and Canadian federal governments

December 2016

The strategy addresses the vulnerabilities of the two countries' respective and shared electric grid infrastructure, not only as an energy security concern, but for reasons of national security. The joint strategy relies on the existing strong bilateral collaboration between the United States and Canada, and it reflects a joint commitment to enhance a shared approach to risk management for the electric grid. It also articulates a common vision of the future electric grid that depends on effective and expanded collaboration among those who own, operate, protect, and rely on the electric grid. Because the electric grid is complex, vital to the functioning of modern society, and dependent on other infrastructure for its function, the United States and Canada developed the strategy under the shared principle that security and resilience require increasingly collaborative efforts and shared approaches to risk management. (24 pages)

The Energy Sector H4CK3R Report: Profiling the Hacker Groups that Threaten our Nation's Energy Sector

Institute for Critical Infrastructure Technology (ICIT)

August 2016

The report introduces the most prominent actors and exploits, along with hacker group profiles and choice vectors of attack into the conversation of energy sector resiliency to convert bureaucratic babble into a strategic conversation about true and viable security that takes into consideration the complete picture of energy sector vulnerabilities. (56 pages)

Revised Critical Infrastructure Protection Reliability Standards

FERC

July 29, 2016

FERC directs the North American Electric Reliability Corporation to develop a new or modified Reliability Standard that addresses supply chain risk management for industrial control system hardware, software, and computing and networking services associated with bulk electric system operations. The new or modified Reliability Standard is intended to mitigate the risk of a cybersecurity incident affecting the reliable operation of the Bulk Power System. (17 pages)

Programmable Logic Computers in Nuclear Power Plant Control Systems

NRC

June 2016

The NRC is denying a petition for rulemaking (PRM), filed by Mr. Alan Morris (petitioner) on March 14, 2013, as supplemented most recently on December 19, 2013. The petitioner requested that the NRC require that his "new-design programmable logic computers [PLCs]" be installed in the control systems of nuclear power plants to block malware attacks on the industrial control systems of those facilities. In addition, the petitioner requested that nuclear power plant staff be trained "in the programming and handling of the non-rewriteable memories" for nuclear power plants. (4 pages)

Cyber Security at Fuel Cycle Facilities

NRC

April 12, 2016

The NRC is making available a final regulatory basis document to support a rulemaking that would amend its regulations by adopting new cybersecurity requirements for certain nuclear fuel cycle facility (FCF) licensees to address safety, security, and safeguards. The NRC is not seeking public comments on this document. There will be an opportunity for formal public comment on the proposed rule when it is published in the Federal Register. The NRC is making documents publicly available on the federal rulemaking website, www.regulations.gov, under Docket ID NRC–2015–0179. (1 page)

Superstorm Sandy: Implications for Designing a Post-Cyber Attack Power Restoration System - National Security Perspective

Johns Hopkins University Applied Physics Laboratory

April 2016

The study summarizes restoration challenges posed by Superstorm Sandy and contrasts them with those that would be produced by a cyberattack on the grid. The study then examines the implications of these disparate challenges for the electricity industry's mutual assistance system and proposes potential steps to build an "all-hazards" system that can account for the unique problems that cyberattacks will create. The study also analyzes support missions that state and federal agencies might perform in response to requests for assistance from utilities and how to build a cyber response framework that can coordinate such requests. The study concludes by examining how utilities might prepare in advance for post-cyberattack opportunities to strengthen the architecture of the grid in ways that are not politically or economically feasible today. (66 pages)

Revised Critical Infrastructure Protection (CIP) Reliability Standards

FERC

January 26, 2016

The proposed reliability standards address the cybersecurity of the bulk electric system and improve upon the current commission-approved CIP Reliability Standards. In addition, the commission directs NERC to develop certain modifications to improve the CIP Reliability Standards. (15 pages)

Revised Critical Infrastructure Protection Reliability Standards; Supplemental Notice of Agenda and Discussion Topics for Staff Technical Conference

FERC

December 28, 2015

In a July 22, 2015, Notice of Proposed Rulemaking (NOPR), FERC proposed to direct the NERC to develop new or modified CIP Reliability Standards to provide security controls relating to supply chain risk management for industrial control system hardware, software, and services. The commission sought and received comments on this proposal. (3 pages)

Transmission Operations Reliability Standards and Interconnection Reliability Operations and Coordination Reliability Standards

FERC

November 27, 2015

FERC approves revisions to the standards developed by NERC, which the commission has certified as the Electric Reliability Organization responsible for developing and enforcing mandatory reliability standards. The commission also directs NERC to make three modifications to the standards within 18 months of the effective date of the final rule. (15 pages)

Cyber Security Event Notifications

NRC

November 2, 2015

This rule establishes new cybersecurity event notification requirements for nuclear power reactor licensees that contribute to the NRC's analysis of the reliability and effectiveness of licensees' cybersecurity programs and plays an important role in the continuing effort to provide high assurance that digital computer and communication systems and networks are adequately protected against cyberattacks, up to and including the design basis threat. (14 pages)

Critical Infrastructure Protection: Cybersecurity of the Nation's Electricity Grid Requires Continued Attention

GAO

October 21, 2015

In a 2011 report, GAO recommended that (1) NIST improve its cybersecurity standards, (2) FERC assess whether challenges identified by GAO should be addressed in ongoing cybersecurity efforts, and (3) FERC coordinate with other regulators to identify strategies for monitoring compliance with voluntary standards. The agencies agreed with the recommendations, but FERC has not taken steps to monitor compliance with voluntary standards. (18 pages)

Energy Department Invests Over $34 Million to Improve Protection of the Nation's Energy Infrastructure

DOE

October 9, 2015

DOE announced more than $34 million for two projects to improve the protection of the U.S. electric grid and oil and natural gas infrastructure from cyber threats. The University of Arkansas and the University of Illinois will assemble teams with expertise in power systems engineering and the computer science of cybersecurity to develop new technologies to help protect energy delivery systems that control the physical processes in delivering continuous and reliable power.

Cyber Security at Civil Nuclear Facilities: Understanding the Risk

Chatham House

October 2015

The risk of a serious cyberattack on civil nuclear infrastructure is growing, as facilities become ever more reliant on digital systems and make increasing use of commercial off-the-shelf software. The trend to digitization, when combined with a lack of executive-level awareness of the risks involved, means that nuclear plant personnel may not realize the full extent of their cyber vulnerability and are thus inadequately prepared to deal with potential attacks. (53 pages)

Identity and Access Management for Electric Utilities

NIST

August 24, 2015

To help the energy sector address the cybersecurity challenge, security engineers at the National Cybersecurity Center of Excellence (NCCoE) developed an example solution that utilities can use to more securely and efficiently manage access to the networked devices and facilities upon which power generation, transmission, and distribution depend.

FACT SHEET: The 2015 G-7 Summit at Schloss Elmau, Germany

White House

June 8, 2015

Member nations of the Group of Seven (G-7) announced a new cooperative effort to guard the energy sector from hackers, cyber spies, and other online attackers. The seven industrialized democracies will exchange information on methods for identifying cyber threats and vulnerabilities within the energy sector, sharing best practices, and making "investment in cybersecurity capabilities and capacity building." See "Launching New Work on Energy Sector Cybersecurity" on the fact sheet.

Energy Sector Cybersecurity Framework Implementation Guidance: Draft For Public Comment and Comment Submission Form

DOE Office of Electricity Delivery and Energy Reliability

September 12, 2014

Energy companies need not make a choice between the NIST cybersecurity framework and the DOE's Cybersecurity Capability Maturity Model (C2M2). The NIST framework tells organizations to grade themselves on a four-tier scale based on their overall cybersecurity program sophistication. C2M2 tells users to assess cybersecurity control implementation across 10 domains of cybersecurity practices, such as situational awareness, according to their specific "maturity indicator level."

Guidelines for Smart Grid Cybersecurity, Smart Grid Cybersecurity Strategy, Architecture, and High-Level Requirements (3 volumes)

NIST

September 2014

The three-volume report presents an analytical framework that organizations can use to develop effective cybersecurity strategies tailored to their particular combinations of smart grid-related characteristics, risks, and vulnerabilities. Organizations in the diverse community of smart-grid stakeholders—from utilities to energy management services providers to electric vehicles and charging stations manufacturers—can use the report's methods and supporting information as guidance to assess risk and identify and apply appropriate security requirements. The approach recognizes that the electric grid is changing from a relatively closed system to a complex, highly interconnected environment. Each organization's cybersecurity requirements should evolve as technology advances and as threats to grid security inevitably multiply and diversify. (668 pages)

Securing the U.S. Electrical Grid: Understanding the Threats to the Most Critical of Critical Infrastructure, While Securing a Changing Grid

Center for the Study of the Presidency and Congress

July 2014

Although the electrical grid modernization entails significant security challenges, it provides an opportunity to incorporate security—both in the hardware and software controlling these systems and in the business models, regulatory systems, financial incentives, and insurance structures that govern the generation, transmission, and distribution of electric power. The report seeks to identify the immediate action that can be taken by the White House, Congress, and the private sector to mitigate current threats to the electrical grid. (180 pages)

Cybersecurity and Connecticut's Public Utilities

Connecticut Public Utilities Regulatory Authority

April 14, 2014

The document is Connecticut's cybersecurity utilities plan to help strengthen defense against possible future cyber threats. Connecticut is the first state to present a cybersecurity strategy in partnership with the utilities sector and will share it with other states working on similar plans. Among other findings, the report recommends that Connecticut commence self-regulated cyber audits and reports and move toward a third-party audit and assessment system. It also makes recommendations regarding local and regional regulatory roles, emergency drills and training, emergency management officials' coordination, and confidential information handling. (31 pages)

Cybersecurity Procurement Language for Energy Delivery Systems

DOE Energy Sector Control Systems Working Group

April 2014

The guidance suggests procurement strategies and contract language to help U.S. energy companies and technology suppliers build in cybersecurity protections during product design and manufacturing. It was "developed through a public-private working group including federal agencies and private industry leaders." (46 pages)

Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) (Case Study)

Carnegie Mellon University Software Engineering Institute

January 23, 2014

ES-C2M2 is a White House initiative, led by DOE in partnership with DHS and representatives of electricity subsector asset owners and operators, to manage dynamic threats to the electric grid. Its objectives are to strengthen cybersecurity capabilities, enable consistent evaluation and benchmarking of cybersecurity capabilities, and share knowledge and best practices. (39 pages)

Version 5 Critical Infrastructure Protection Reliability Standards

FERC

December 3, 2013

FERC proposes to approve NERC's Version 5 Critical Infrastructure Protection (CIP) Reliability Standards, CIP-002-5 through CIP-011-1. The proposed reliability standards, which pertain to the cybersecurity of the bulk electric system, are an improvement over the current commission-approved CIP Reliability Standards because they adopt new cybersecurity controls and extend the scope of the systems that are protected by the existing standards. (18 pages)

The Department of Energy's July 2013 Cyber Security Breach

DOE Inspector General

December 2013

According to DOE's inspector general, nearly eight times as many current and former Energy Department staff were affected by a July computer hack than was previously estimated. In August, DOE estimated that the hack affected roughly 14,000 current and former staff, leaking personally identifiable information, such as Social Security numbers, birthdays, and banking information. But the breach apparently affected more than 104,000 people. (28 pages)

Electric Grid Vulnerability: Industry Responses Reveal Security Gaps

Representative Edward Markey and Representative Henry Waxman 

May 21, 2013

The report found that less than one-quarter of investor-owned utilities and less than one-half of municipally and cooperatively owned utilities followed through with voluntary standards issued by the Federal Energy Regulatory Commission after the Stuxnet worm struck in 2010. (35 pages)

Terrorism and the Electric Power Delivery System

National Academies of Science (NAS)

November 2012

The report focuses on measures that could make the electric power delivery system less vulnerable to attacks, restore power faster after an attack, and make critical services less vulnerable when delivery of conventional electric power has been disrupted. (146 pages)

Canvassing the Targeting of Energy Infrastructure: The Energy Infrastructure Attack Database

Journal of Energy Security 

August 7, 2012

The Energy Infrastructure Attack Database (EIAD) is a noncommercial dataset that structures information on reported (criminal and political) attacks to the energy infrastructure worldwide by non-state actors since 1980.The objective of EIAD was to develop a product that could be broadly accessible and connect to existing available resources. (8 pages)

Smart Grid Cybersecurity: Job Performance Model Report

Pacific Northwest National Laboratory

August 2012

The report outlines the work done to develop a smart-grid cybersecurity certification. The primary purpose was to develop a measurement model that may be used to guide curriculum, assessments, and other development of technical and operational smart-grid cybersecurity knowledge, skills, and abilities. (178 pages)

Smart-Grid Security

Center for Infrastructure Protection and Homeland Security, George Mason School of Law

August 2012

The report highlights the significance of and the challenges with securing the smart grid. (26 pages)

Cybersecurity: Challenges in Securing the Electricity Grid

GAO

July 17, 2012

In a prior report, GAO made recommendations related to electricity grid modernization efforts, including developing an approach to monitor compliance with voluntary standards. These recommendations have not yet been implemented. (25 pages)

Energy Department Develops Tool with Industry to Help Utilities Strengthen Their Cybersecurity Capabilities

DOE

June 28, 2012

The Cybersecurity Self-Evaluation Tool uses best practices developed for the Electricity Subsector Cybersecurity Capability Maturity Model Initiative, which involved a series of workshops with the private sector to draft a maturity model that can be used throughout the electric sector to better protect the grid.

Cybersecurity Risk Management Process (Electricity Subsector)

DOE Office of Electricity Delivery and Energy Reliability

May 2012

The guideline describes a risk-management process targeted to the specific needs of electricity-sector organizations. Its objective was to build upon existing guidance and requirements to develop a flexible risk-management process tuned to the diverse missions, equipment, and business needs of the electric power industry. (96 pages)

Cybersecurity: Challenges to Securing the Modernized Electricity Grid

GAO

February 28, 2012

As GAO reported in January 2011, securing smart grid systems and networks present a number of key challenges that require attention by government and industry. GAO made several recommendations to the Federal Energy Regulatory Commission aimed at addressing these challenges. The commission agreed with these recommendations and described steps it is taking to implement them. (19 pages)

ICT Applications for the Smart Grid: Opportunities and Policy Implications

Organization for Economic Co-operation and Development (OECD)

January 10, 2012

The report discusses "smart" applications of information and communication technologies (ICTs) for more sustainable energy production, management, and consumption. It outlines policy implications for government ministries dealing with telecommunications regulation, ICT sector and innovation promotion, and consumer and competition issues. (44 pages)

The Future of the Electric Grid

Massachusetts Institute of Technology (MIT)

December 5, 2011

Chapter 1 provides an overview of the status of the electric grid, the challenges and opportunities it faces, and major recommendations. To facilitate selective reading, detailed descriptions of the contents of each section in Chapters 2-9 are provided in each chapter's introduction, and recommendations are collected and briefly discussed in each chapter's final section. (See Chapter 9, "Data Communications, Cybersecurity, and Information Privacy," pages 208-234). (39 pages)

Electricity Grid Modernization: Progress Being Made on Cybersecurity Guidelines, but Key Challenges Remain to be Addressed

GAO

January 12, 2011

GAO recommended that "to reduce the risk that NIST's smart grid cybersecurity guidelines will not be as effective as intended, the Secretary of Commerce should direct the Director of NIST to finalize the agency's plan for updating and maintaining the cybersecurity guidelines, including ensuring it incorporates (1) missing key elements identified in this report, and (2) specific milestones for when efforts are to be completed. Also, as a part of finalizing the plan, the Secretary of Commerce should direct the Director of NIST to assess whether any cybersecurity challenges identified in this report should be addressed in the guidelines." (50 pages)

WIB Security Standard Released

International Instrument Users Association (WIB)

November 10, 2010

The Netherlands-based WIB, an international organization that represents global manufacturers in the industrial automation industry, announced the second version of the Process Control Domain Security Requirements for Vendors document—the first international standard that outlines a set of specific requirements focusing on cybersecurity best practices for industrial automation and control systems suppliers.

NIST Finalizes Initial Set of Smart Grid Cyber Security Guidelines

NIST

September 2, 2010

NIST released a three-volume set of recommendations relevant to securing the smart grid. The guidelines address a variety of topics, including high-level security requirements, a risk assessment framework, an evaluation of residential privacy issues, and recommendations for protecting the evolving grid from attacks, malicious code, cascading errors, and other threats.

NSTB Assessments Summary Report: Common Industrial Control System Cyber Security Weaknesses

DOE, Idaho National Laboratory

May 2010

The report by the National Supervisory Control and Data Acquisition Systems (SCADA) Test Bed (NSTB) program notes that computer networks controlling the electric grid are plagued with security holes that could allow intruders to redirect power delivery and steal data. Many of the security vulnerabilities are strikingly basic and fixable problems. (123 pages)

21 Steps to Improve Cyber Security of SCADA Networks

DOE, Infrastructure Security and Energy Restoration

January 1, 2007

The President's Critical Infrastructure Protection Board and DOE have developed steps to help any organization improve the security of its SCADA networks. The steps are divided into two categories: (1) specific actions to improve implementation and (2) actions to establish essential underlying management processes and policies. (10 pages)

Source: Highlights compiled by CRS from the reports.

Note: Page counts are documents; other cited resources are web pages.

Table 3. Financial Industry Sector

(includes banks, insurance, SEC guidance, FFIEC, FDIC, FSOC, IRS)

Title

Source

Date

Notes

Cybersecurity Fraud

American Bankers Association (ABA)

Continuously Updated

ABA offers resources to help banks prevent, identify, measure, and report fraud, and to serve and protect consumers and their financial data.

Appendix J: Strengthening the Resilience of Outsourced Technology Services

Federal Financial Institutions Examination Council (FFIEC)

Continuously Updated

The increasing sophistication and volume of cyber threats and their ability to disrupt operations or corrupt data can affect the business resilience of financial institutions and technology service providers (TSPs). Financial institutions and their TSPs need to incorporate the potential impact of a cyber event into their business continuity planning (BCP) process and ensure appropriate resilience capabilities are in place. The changing cyber threat landscape may include risks that must be managed to achieve resilience.

Financial Services Information Sharing & Analysis Center (FS-ISAC)

FS-ISAC

Continuously Updated

The Financial Services Information Sharing and Analysis Center, FS-ISAC, is the global financial industry's go to resource for cyber and physical threat intelligence analysis and sharing. FS-ISAC is unique in that it was created by and for members and operates as a member-owned nonprofit entity.

ICBA Data Breach Toolkit

Independent Community Bankers of America (ICBA)

Continuously Updated

ICBA and Visa have teamed up to bring a special communications toolkit to community banks. The comprehensive communications guide gives community banks the means to communicate with card customers and the media within 24 hours of a data compromise. The toolkit includes a brochure on communications best practices following a data breach and customizable template materials, such as cardholder letters, statement inserts, FAQs, and media statements.

Financial Services Sector Cybersecurity Profile All-in-One with Assessment Tool

Financial Services Sector Coordinating Council

October 25, 2018

The Profile is a scalable and extensible assessment that financial institutions of all types can use for internal and external (i.e., third party) cyber risk management assessment and as a mechanism to evidence compliance with various regulatory frameworks (a "common college application for regulatory compliance") both within the United States and globally.

Provisions Pertaining to Certain Investments in the United States by Foreign Persons

Department of theTreasury

October 11, 2018

The rule requires all foreign investors in certain deals involving critical U.S. technology to submit to national security reviews or face fines as high as the value of their proposed transactions. The new regulations implement a recently passed law to tighten foreign-investment reviews, under the purview of the Committee on Foreign Investment in the U.S. (CFIUS).

Assessment of Business Cybersecurity

U.S. Chamber of Commerce and FICO

October 11, 2018

The report looks at the cybersecurity risk of 2,574 U.S. firms, as quantified by the FICO® Cyber Risk Score—an empirically derived tool that can objectively measure the cybersecurity risk of any organization. To enable relevant comparisons, the ABC examines 10 distinct-sector categories and is further broken down into small, medium, and large size classes.

Protecting Financial Institutions Against Cyber Threats: A National Security Issue

Carnegie Cyber Policy Initiative

September 24, 2018

The report presents a comprehensive proposal for conceptualizing and implementing operational collaboration between the U.S. government and critical elements of the financial sector to defend against significant cyber threats. In particular, prioritized intelligence collection against sector-specific threats, side-by-side analytic collaboration between government and private-sector analysts, fully articulated playbooks, routinized exercising of playbooks, and the development of organizational connective tissue between the sector and government would substantially enhance defense in cyberspace of a key sector of the U.S. economy.

FDIC Needs to Improve Controls over Financial Systems and Information

GAO

May 31, 2017

As part of its audit of the 2016 and 2015 financial statements of the Deposit Insurance Fund and the Federal Savings and Loan Insurance Corporation Resolution Fund, which are administered by FDIC, GAO assessed the effectiveness of the corporation's controls in protecting the confidentiality, integrity, and availability of its financial systems and information. (34 pages)

Toward a Global Norm Against Manipulating the Integrity of Financial Data

Carnegie Cyber Policy Initiative

March 28, 2017

The paper proposes that the G20 heads of state should explicitly commit not to manipulate the integrity of data and algorithms of financial institutions and to cooperate when such incidents occur. (20 pages)

Demystifying Cyber Insurance

Deloitte University Press

February 23, 2017

Organizations continue to invest heavily in cybersecurity efforts to safeguard themselves against threats, but far fewer have signed on for cyber insurance to protect their firms after an attack. This publication examines existing roadblocks, and what steps the industry could take to help clear them? (24 pages)

Mapping the Global Legal Landscape of Blockchain Technologies

Max Planck Institute for Comparative Public Law & International Law; Centre for International Governance Innovation

February 14, 2017

Blockchain technologies are beginning to push a broad array of global economic activities away from centralized and toward decentralized market structures. Governments should tackle the new regulatory conundrums of an increasingly disintermediated global economy by focusing on blockchain's individual use cases rather than its underlying enabling technologies. Grouping the known use cases around common characteristics reveals three broad categories of blockchain/law interfaces: the green box, the dark box, and the sandbox. Each raises distinctive legal, regulatory, and policy challenges deserving of separate analysis. (15 pages)

Enhanced Cyber Risk Management Standards

Federal Reserve Board, Comptroller of the Currency, FDIC

January 24, 2017

The agencies are considering applying the enhanced standards to depository institutions and depository institution holding companies with total consolidated assets of $50 billion or more, to U.S. operations of foreign banking organizations with total U.S. assets of $50 billion or more, and to financial market infrastructure companies and nonbank financial companies supervised by the Federal Reserve Board. The proposed enhanced standards would not apply to community banks. (12 pages)

2016 Financial Stability Report

Department of the Treasury, Office of Financial Research

December 12, 2016

The report asesses financial stability risks in five risk categories that the office monitors regularly. In the second chapter, it analyzes seven key vulnerabilities in depth. (124 pages)

Joint Industry Plan; Order Approving the National Market System Plan Governing the Consolidated Audit Trail

Securities and Exchange Commission (SEC)

November 23, 2016

"In response to the several commenters that discussed issues surrounding the cost of a breach, including which parties should bear the cost of a breach, and whether the Plan Processor, the Participants and the commission should indemnify the broker-dealers from all liability in the event of a breach that is no fault of the broker, the commission notes that the Plan requires that the Plan Processor's cyber incident response plan must address insurance issues related to security breaches and that as part of the discussions on insurance coverage and liability, further detail about the distribution of costs will be undertaken. The Commission believes that it is reasonable to require, at this stage, that the cyber incident response plan outline the key areas of breach management that must be addressed by the Plan Processor; further details on the breach management protocols, including details about who might bear the cost of a breach and under what specific circumstances, will follow once the Plan Processor is selected." (340 pages)

Creating a Federally Sponsored Cyber Insurance Program

Council on Foreign Relations

November 2016

The report recommends that a federally sponsored cyber insurance program should use the promise of limited financial liability to promote participation in initiatives that benefit Internet security as a whole and reduce systemic risk. Initially, the government's goal should be to use the program to promote data sharing of incidents so that insurers can accurately price risk and set premiums. Doing so could provide the data necessary to judge the effectiveness of existing best practices and identify new practices that should be widely adopted. (6 pages)

System Safeguards Testing Requirements

Commodity Futures Trading Commission (CFTC)

September 19, 2016

The CFTC is adopting final rules amending its current system safeguards rules for designated contract markets, swap execution facilities, and swap data repositories, by enhancing and clarifying current provisions relating to system safeguards risk analysis and oversight and cybersecurity testing, and by adding new provisions concerning certain aspects of cybersecurity testing. (49 pages)

System Safeguards Testing Requirements for Derivatives Clearing Organizations

CFTC

September 19, 2016

The CFTC is adopting enhanced requirements for testing by a derivatives clearing organization (DCO) of its system safeguards, as well as additional amendments to reorder and renumber certain paragraphs within the regulations and make other minor changes to improve the clarity of the rule text. (20 pages)

Science, Space, and Technology Committee's Investigation of FDIC's Cybersecurity

House Science, Space, and Technology Committee (Staff Report)

July 12, 2016

According to congressional investigators, the Chinese government hacked into 12 computers and 10 backroom servers at the FDIC, including the personal computers of the agency's top officials: the FDIC chairman, his chief of staff, and the general counsel. When congressional investigators tried to review the FDIC's cybersecurity policy, the agency hid the hack, according to the report. (25 pages)

Adviser Business Continuity and Transition Plans (Proposed Rule)

SEC

July 5, 2016

The proposed rule would require SEC-registered investment advisers to adopt and implement written business continuity and transition plans reasonably designed to address operational and other risks related to a significant disruption in the investment adviser's operations. The proposal would also amend rule 204-2 under the Advisers Act to require SEC-registered investment advisers to make and keep all business continuity and transition plans that are currently in effect or were in effect at any time within the past five years. (27 pages)

FDIC Implemented Controls over Financial Systems, but Further Improvements are Needed

GAO

June 29, 2016

GAO assessed the effectiveness of the FDIC's controls in protecting the confidentiality, integrity, and availability of its financial systems and information. To do so, GAO examined security policies, procedures, reports, and other documents; tested controls over key financial applications; and interviewed FDIC personnel. (29 pages)

Guidance on Cyber Resilience for Financial Market Infrastructures

Bank for International Settlements and OICU-IOSCO

June 2016

The Cyber Guidance requires FMIs to instill a culture of cyber risk awareness and to demonstrate ongoing re-evaluation and improvement of their cyber resilience posture at every level within the organization. The Cyber Guidance does not establish additional standards for FMIs beyond those already set out in the Principles for Financial Market Infrastructures (PFMI). Instead, the document is intended to be supplemental to the PFMI, primarily in the context of governance (Principle 2), the framework for the comprehensive management of risks (Principle 3), settlement finality (Principle 8), operational risk (Principle 17), and FMI links (Principle 20). (32 pages)

Cyber-Related Sanctions Regulations

Treasury Department Office of Foreign Assets Control (OFAC)

December 31, 2015

OFAC is issuing regulations to implement Executive Order 13694, "Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities," April 1, 2015. OFAC intends to supplement part 578 with a more comprehensive set of regulations, which may include additional interpretive and definitional guidance and additional general licenses and statements of licensing policy. (8 pages)

Transfer Agent Regulations

SEC

December 31, 2015

See Part E. Cybersecurity, Information Technology, and Related Issues. "Cybersecurity risks faced by the capital markets and Commission-regulated entities are of particular concern to the Commission. Given the highly-dependent, interconnected nature of the U.S. capital markets and financial infrastructure, including the National C&S System, as well as the prevalence of electronic book-entry securities holdings in that system, the Commission has a significant interest in addressing the substantial risks of market disruptions and investor harm posed by cybersecurity issues. Transfer agents are subject to many of the same risks of data system breach or failure that other market participants face." (58 pages)

System Safeguards Testing Requirements

CFTC

December 23, 2015

The CFTC is amending its system safeguards rules for designated contract markets, swap execution facilities, and swap data repositories by (1) enhancing and clarifying existing provisions related to system safeguards risk analysis, oversight, and cybersecurity testing and (2) adding new provisions concerning certain aspects of cybersecurity testing. (53 pages)

FFIEC Releases Statement on Cyber Attacks Involving Extortion

FFIEC

November 3, 2015

FFIEC released a statement describing steps financial institutions can take to respond to cyberattacks involving extortion. The statement highlights resources institutions can use to mitigate the risks posed by such attacks. (3 pages)

Cybersecurity: Bank and Other Depository Regulators Need Better Data Analytics and Depository Institutions Want More Usable Threat Information

GAO

July 2, 2015

The report's objectives include examining (1) how regulators oversee institutions' efforts to mitigate cyber threats, and (2) sources of and efforts by agencies to share cyber threat information. GAO collected and analyzed cybersecurity studies from private-sector sources and reviewed materials from selected IT examinations (based on regulator, institution size, and risk level). GAO also held three forums with more than 50 members of financial institution industry associations who provided opinions on cyber threat information sharing. (73 pages)

2015 Annual Report

Financial Stability Oversight Council (FSOC)

April 25, 2015

Under the Dodd-Frank Act, FSOC must report annually to Congress on a range of issues, including significant financial market and regulatory developments and potential emerging threats to the financial stability of the United States. FSOC's recommendations address heightened risk management and supervisory attention to operational risks, including cybersecurity and infrastructure. (150 pages)

National Cybersecurity Center of Excellence Access Rights Management Use Case for the Financial Services Sector

NIST

April 3, 2015

NIST is canvassing for technologies the financial-services sector could use to unify disparate computer logon systems. As part of the agency's National Cybersecurity Center of Excellence ongoing work, the goal is for the center to review technologies that can create a unified "comprehensive identity and access management system" that will streamline the task of multiple applications and automatically monitor activity. (3 pages)

Cybersecurity Guidance

SEC

April 2015

The SEC's Division of Investment Management guidance states that an investment fund that cannot repay shareholders because of a cyberattack risks violating federal securities laws. The guidance recommends that advisors and funds conduct periodic assessments, have a cybersecurity strategy, and have written policies and procedures to mitigate cyberattacks. (6 pages)

Cybersecurity Examination Sweep Summary

SEC

February 3, 2015

The SEC published findings from an assessment of more than 100 broker-dealers and investment advisers initiated in April 2014. More than 90% of broker firms and 80% of advisers had written information security policies, with most of brokerages and just over half of advisers conducting audits. But less than one-third of brokerages and one-fifth of advisers include written policies about responsibilities for client loss in the event of a cyber incident. In addition, although 84% of broker-dealers applied risk assessments to their vendors, only 32% of advisers did. (7 pages)

Annual Assessment of the Internal Revenue Service's Information Technology Program

Department of Treasury Inspector General for Tax Administration

September 30, 2014

The report identifies a list of security weaknesses in the Internal Revenue Service's (IRS's) systems that support the Affordable Care Act. The security control weaknesses could affect the IRS's ability to reliably process insurers' and drug companies' reports electronically. (45 pages)

OCC Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches; Integration of Regulations

Treasury

September 11, 2014

The OCC released interagency guidelines establishing information security standards for national banks, federal branches and agencies of foreign banks, and any subsidiaries of such entities (except brokers, dealers, persons providing insurance, investment companies, and investment advisers). (33 pages)

Third-Party Security Assurance Information Supplement

Payment Card Industry (PCI) Security Standards Council

August 7, 2014

The PCI Security Standards Council has created guidelines meant to help banks and merchants mitigate the risks posed by third parties that process credit card payment information. The guidance includes practical recommendations on how to conduct due diligence and risk assessment when engaging third-party service providers to help organizations understand the services provided.

OCIE Cybersecurity Initiative

SEC

April 15, 2014

The SEC's Office of Compliance Inspections and Examinations (OCIE) will be conducting examinations of more than 50 registered broker-dealers and registered investment advisers, focusing on the entity's cybersecurity governance; identification and assessment of cybersecurity risks; protection of networks and information; risks associated with remote customer access and funds transfer requests; risks associated with vendors and other third parties; detection of unauthorized activity; and experiences with certain cybersecurity threats. (9 pages)

Self-Regulatory Organizations; Chicago Board Options Exchange, Incorporated; Notice of Withdrawal of Proposed Rule Change Relating to Multi-Class Spread Orders

SEC

February 24, 2014

The SEC solicited comments on proposed amendments to the Financial Industry Regulatory Authority's (FINRA's) arbitration codes to ensure that parties' private information, such as Social Security and financial account numbers, are redacted to include only the last four digits of the number. The proposed amendments would apply only to documents filed with FINRA. They would not apply to documents that parties exchange with each other or submit to the arbitrators at a hearing on the merits. (1 page)

Cybersecurity Exercise: Quantum Dawn 2

Securities Industry and Financial Markets Association (SIFMA)

October 21, 2013

Quantum Dawn 2 is a cybersecurity exercise to test incident response, resolution, and coordination processes for the financial services sector and the individual member firms to a street-wide cyberattack.

FFIEC Forms Cybersecurity and Critical Infrastructure Working Group

FFIEC

June 6, 2013

FFIEC formed a working group to further promote coordination across federal and state banking regulatory agencies on critical infrastructure and cybersecurity issues. (2 pages)

Identity Theft Red Flags Rules

CFTC

April 19, 2013

The joint final rule and guidelines require financial institutions and creditors to develop and implement a written identity theft prevention program designed to detect, prevent, and mitigate identity theft in connection with certain existing accounts or the opening of new accounts. The rules include guidelines to assist entities in the formulation and maintenance of programs that would satisfy the requirements of the rules. (30 pages)

Regulation Systems Compliance and Integrity

SEC

March 25, 2013

The SEC examined the exposure of stock exchanges, brokerages, and other Wall Street firms to cyberattacks. The proposed rule asked whether stock exchanges should be required to inform members about breaches of critical systems. More than half of exchanges surveyed globally in 2012 said they had experienced a cyberattack, and 67% of U.S. exchanges said hackers tried to penetrate their systems. (104 pages)

Cybersecurity: CF Disclosure Guidance: Topic No. 2

SEC

October 13, 2011

The guidance presents the views of the Division of Corporation Finance regarding "disclosure obligations relating to cybersecurity risks and cyber incidents." It is not a rule, regulation, or statement of the SEC, however, and the commission has neither approved nor disapproved its content.

Partnership for Cybersecurity Innovation

White House Office of Science and Technology Policy

December 6, 2010

The Obama Administration released a memorandum of understanding signed by DOC's NIST, DHS's Science and Technology Directorate (DHS/S&T), and the Financial Services Sector Coordinating Council (FSSCC). The goal of the agreement was to speed up the commercialization of cybersecurity research innovations that support the nation's critical infrastructures. (4 pages)

Source: Highlights compiled by CRS from the reports.

Note: Page counts are documents; other cited resources are web pages.

Table 4. Health Sector

(includes Healthcare.gov, health insurance, Medicaid, medical devices)

Title

Source

Date

Notes

HHS Breach Portal: Breaches Affecting 500 or More Individuals

Department of Health and Human Services (HHS)

Continuously Updated

As required by Section 13402(e)(4) of the HITECH Act (P.L. 111-5), the HHS Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals. These breaches are now posted in a new, more accessible format that allows users to search and sort the posted breaches. Additionally, the new format includes brief summaries of breach cases that optical character recognition (OCR) has investigated and closed, as well as the names of private practice providers that have reported breaches of unsecured protected health information to the Secretary.

The Food and Drug Administration's Policies and Procedures Should Better Address Postmarket Cybersecurity Risk to Medical Devices

HHS

November 1, 2018

The FDA lacks adequate plans and procedures in place for mitigating the effects of medical device cyberattacks, according to an HHS Office of Inspector General report. The FDA disagreed with the OIG's findings and said it has taken extensive steps to boost its cybersecurity oversight of medical devices since the OIG's audit.

Content of Premarket Submissions for Management of Cybersecurity in Medical Devices

FDA

October 18, 2018

This draft guidance is intended to provide recommendations to industry regarding cybersecurity device design, labeling, and the documentation that FDA recommends be included in premarket submissions for devices with cybersecurity risk. These recommendations can facilitate an efficient premarket review process and help ensure that marketed medical devices are sufficiently resilient to cybersecurity threats.

Report on Improving Cybersecurity in the Health Care Industry

HHS Health Care Industry Cybersecurity Task Force

June 2017

To identify a wide range of threats that affect the health care industry, the Task Force relied on information gathered during public meetings, briefings and consultations with experts on a variety of topics across health care and other critical infrastructure sectors, internal Task Force meetings, and responses to blog posts. The Task Force's activities resulted in the development of recommendations that will collectively help increase security across the health care industry. The Task Force identified six high-level imperatives by which to organize its recommendations and action items. (96 pages)

Postmarket Management of Cybersecurity in Medical Devices

FDA

December 28, 2016

The guidance informs industry and FDA staff of the agency's recommendations for managing postmarket cybersecurity vulnerabilities for marketed medical devices. It clarifies FDA's postmarket recommendations with regard to addressing cybersecurity vulnerabilities and emphasizes that manufacturers should monitor, identify, and address cybersecurity vulnerabilities and exploits as part of the postmarket management of their medical devices. (2 pages)

Precision Medicine Initiative: Data Security Policy Principles and Framework

White House

May 25, 2016

Personalized treatment for patients is the end-goal of the White House's Precision Medicine Initiative, a $215 million program launched last year. But that data, which might include details about insurance claims, demographics, genomic and biological characteristics, and information transmitted from smartphones or implantable devices, needs to be highly secured. (10 pages)

NCCoE Wireless Medical Infusion Pumps Use Case for the Health Care Sector

NIST

January 25, 2016

NIST invites organizations to provide products and technical expertise to support and demonstrate security platforms for the Wireless Medical Infusion Pumps use case for the health care sector. The notice is the initial step for the National Cybersecurity Center of Excellence (NCCoE) in collaborating with technology companies to address cybersecurity challenges identified under the Health Care Sector program. (3 pages)

2015 Protected Health Information Data Breach Report (PHIDBR)

Verizon

December 15, 2015

The study shed light on the problem of medical data loss—how it is disclosed, who is causing it, and what can be done to combat it. Reportedly, 90% of industries have experienced a PHI breach. Since 2009, half of the U.S. population has been affected by PHI breaches. (34 pages)

Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data

Ponemon Institute

May 2015

Reportedly a rise in cyberattacks against doctors and hospitals is costing the U.S. health care system $6 billion a year as organized criminals who once targeted retailers and financial firms increasingly go after medical records. Criminal attacks are up 125% compared with replacing lost laptops as the leading threat five years ago. The study also found most organizations are unprepared to address new threats and lack adequate resources to protect patient data. (7 pages)

Content of Premarket Submissions for Management of Cybersecurity in Medical Devices

FDA

October 1, 2014

The guidance, first issued as a draft in June 2013, instructs manufactures to "develop a set of cybersecurity controls." It also instructs manufactures to consider following the core functions of the NIST cybersecurity framework, a model for cybersecurity activities: identify, protect, detect, respond, and recover. (9 pages)

Collaborative Approaches for Medical Device and Healthcare Cybersecurity; Public Workshop; Request for Comments

FDA

September 23, 2014

In October 2014, the FDA held a public workshop on collaborative approaches for medical device and health care cybersecurity. The FDA, in collaboration with other stakeholders within the HHS and DHS, seeks broad input from the Healthcare and Public Health (HPH) sector on medical device and health care cybersecurity. The workshop's vision was to catalyze collaboration among all HPH stakeholders. (3 pages)

Source: Highlights compiled by CRS from the reports.

Note: Page counts are documents; other cited resources are web pages.

Table 5. Telecommunications and Communications Sector

(includes wired, wireless, Internet service providers, GPS, undersea cables, public safety broadband network)

Title

Source

Date

Notes

The Communications Security, Reliability and Interoperability Council (CSRIC)

Federal Communications Commission (FCC)

Continuously Updated

The CSRIC mission is to provide recommendations to the FCC to ensure optimal security and reliability of communications systems, including telecommunications, media, and public safety.

Attorney General Jeff Session's China Initiative Fact Sheet

Department of Justice (DOJ)

November 1, 2018

DOJ announced an initiative to combat the Chinese government's "national security threats." One goal is to "identify opportunities to better address supply chain threats, especially ones impacting the telecommunications sector, prior to the transition to 5G networks."

DHS and Private Sector Partners Establish Information and Communications Technology Supply Chain Risk Management Task Force

DHS

October 30, 2018

DHS announced today the formation and chartering of the nation's first Information and Communications Technology (ICT) Supply Chain Risk Management Task Force, a public-private partnership to examine and develop consensus recommendations to identify and manage risk to the global ICT supply chain.

President's National Security Telecommunications Advisory Committee

DHS

May 1, 2018

The committee will receive remarks from DHS leadership and other senior government officials regarding the government's current cybersecurity initiatives and NS/EP priorities. NSTAC members will also receive a status update on the NSTAC Cybersecurity Moonshot Subcommittee's examination of concepts related to a Cybersecurity Moonshot, which has two primary objectives: (1) defining an ambitious but achievable outcome-focused end goal for the cybersecurity environment and (2) defining the structure and process necessary to successfully execute against the identified end goal.

Supply Chain Vulnerabilities from China in U.S. Federal Information and Communications Technology

U.S. – China Economic and Security Review Commission

April 19, 2018

It is unlikely that political or economic shifts will push global ICT manufacturers to dramatically reduce their operations in China or their partnerships with Chinese firms. A national strategy is needed for supply chain risk management of U.S. ICT, and it must include supporting policies so that U.S. security posture is forward-leaning, rather than reactive and based on incident response. To minimize risks, the federal government should: centralize the leadership of federal ICT supply chain risk management efforts, link federal funding to supply chain risk management, promote supply chain transparency, and craft forward-looking policies.

Guide to Securing Networks for Wi-Fi

DHS Cybersecurity Engineering

March 15, 2017

The guide summarizes leading practices and technical guidance for securing networks from wireless threats and for securely implementing wireless access to networks. It specifically focuses on the wireless technologies commonly referred to as "Wi-Fi" as defined in the Institute of Electrical and Electronics Engineers (IEEE) 802.11 family. The guide does not include commercial mobile networks (e.g., 3GPP, LTE). The guide addresses wireless threats that are universal to all networks and describes security controls that can work together to mitigate these threats. (17 pages)

Protecting the Privacy of Customers of Broadband and Other Telecommunications Services

FCC

December 2, 2016

The FCC adopts this final rules based on public comments applying the privacy requirements of the Communications Act of 1934, as amended, to broadband Internet access service (BIAS) and other telecommunications services. In adopting these rules, the commission implements the statutory requirement that telecommunications carriers protect the confidentiality of customer proprietary information. The privacy framework in these rules focuses on transparency, choice, and data security, and provides heightened protection for sensitive customer information, consistent with customer expectations. (73 pages)

9-1-1 DDoS: Threat, Analysis and Mitigation [Distributed Denial of Service]

Ben Gurion University of the Negev

September 8, 2016

Researchers explore the 911 emergency service infrastructure and discuss why it is susceptible to this kind of attack. They then implement different forms of the attack and test implementation on a small cellular network. They simulate and analyze anonymous attacks on a current 911 infrastructure model of measure the severity of their impact. (15 pages)

Disruptions to Communications

FCC

July 12, 2016

The FCC seeks comment on a proposal to update the commission's outage reporting requirement rules to address broadband network disruptions, including packet- based disruptions based on network performance degradation; proposed changes to the rules governing interconnected voice over Internet protocol (VoIP) outage reporting to include disruptions based on network performance degradation. (24 pages)

FirstNet's Nationwide Public Safety Broadband Network (NPSBN)

FirstNet (National Telecommunications and Information Administration, NTIA)

October 5, 2015

FirstNet is requesting feedback from stakeholders, including states, tribes, territories, public safety stakeholders, and market participants, on Appendix C-10 NPSBN Cyber Security that will inform the development of the cybersecurity portions of the nationwide public safety broadband network (NPSBN). (3 pages)

Cybersecurity Risk Management and Best Practices (WG4): Cybersecurity Framework for the Communications Sector

FCC, CSRIC

March 18, 2015

The CSRIC is a federal advisory committee that provides recommendations to the FCC regarding best practices and actions the commission can take to help ensure security, reliability, and interoperability of communications systems and infrastructure. The CSRIC approved a report that identifies best practices, provides a variety of important tools and resources for communications companies of different sizes and types to manage cybersecurity risks, and recommends a path forward. (415 pages)

Security in the New Mobile Ecosystem

Ponemon Institute and Raytheon

August 2014

Mobile devices are quickly becoming an integral tool for the workforce, but the security practices and budgets in most organizations are not keeping pace with the growing number of devices that must be managed and kept secure. (Free registration required.) (30 pages)

Wireless Emergency Alerts (WEA) Cybersecurity Risk Management Strategy for Alert Originators

Carnegie Mellon/Pittsburgh Software Institute

March 2014

The WEA service depends on computer systems and networks to convey potentially life-saving information to the public in a timely manner. However, like other cyber-enabled services, it is susceptible to risks that may enable attackers to disseminate unauthorized alerts or to delay, modify, or destroy valid alerts. Successful attacks may result in property destruction, financial loss, injury, or death and may damage WEA credibility to the extent that users ignore future alerts or disable alerting. The report describes a four-stage cybersecurity risk management (CSRM) strategy that alert originators can use throughout WEA adoption, operations, and sustainment, as well as a set of governance activities for developing a plan to execute the CSRM. (183 pages)

Mobile Security Reference Architecture

Federal CIO Council and DHS

May 23, 2013

The document guides agencies in the secure implementation of mobile solutions through their enterprise architectures. It provides in-depth reference architecture for mobile computing. (103 pages)

Telecommunications Networks: Addressing Potential Security Risks of Foreign-Manufactured Equipment

GAO

May 21, 2013

The federal government began efforts to address the security of commercial networks' supply chain. A variety of approaches to address the potential risks posed by foreign-manufactured equipment in commercial communications networks include those taken by foreign governments. Although these approaches are intended to improve supply chain security of communications networks, they may also create the potential for trade barriers, additional costs, and constraints on competition, which the federal government would have to take into account if it chose to pursue such approaches. (52 pages)

Comments on Incentives to Adopt Improved Cybersecurity Practices

NIST and the National Telecommunications and Information Administration (NTIA)

April 29, 2013

DOC investigated ways to incentivize companies and organizations to improve their cybersecurity. To better understand what stakeholders—such as companies, trade associations, academics, and others—believe would best serve as incentives, the department released public comments to the notice of inquiry.

Open Trusted Technology Provider Standard (O-TTPS)™, Version 1.0: Mitigating Maliciously Tainted and Counterfeit Products

The Open Group

April 2013

Specifically intended to prevent maliciously tainted and counterfeit products from entering the supply chain, the first release of the O-TTPS codifies best practices across the entire commercial, off-the-shelf information and communication technology product life cycle, including the design, sourcing, building, fulfillment, distribution, sustainment, and disposal phases. The O-TTPS will enable organizations to implement best practice requirements and allow all providers, component suppliers, and integrators to obtain trusted technology provider status. (Registration required.) (44 pages)

Privacy and Security of Information Stored on Mobile Communications Devices

FCC

June 13, 2012

The proposed rule seeks comment on the privacy and data security practices of mobile wireless services providers with respect to customer information stored on their users' mobile communications devices. (3 pages)

FCC's Plan for Ensuring the Security of Telecommunications Networks

FCC

June 3, 2011

FCC Chairman Genachowski's response to a letter from Representative Anna Eshoo dated November 2, 2010, regarding concerns about the implications of foreign-controlled telecommunications infrastructure companies providing equipment to the U.S. market. (1 page)

Information Security: Federal Agencies Have Taken Steps to Secure Wireless Networks, but Further Actions Can Mitigate Risk

GAO

November 30, 2010

Existing government-wide guidelines and oversight efforts do not fully address agency implementation of leading wireless security practices. Until agencies take steps to better implement these leading practices and OMB takes steps to improve government-wide oversight wireless, networks will remain at an increased vulnerability to attack. (50 pages)

The Reliability of Global Undersea Communications Cable Infrastructure (The ROGUCCI Report)

Institute of Electrical and Electronics Engineers and the EastWest Institute

May 26, 2010

The study submits 12 major recommendations to private-sector, government, and other stakeholders—especially the financial sector—for the purpose of improving the reliability, robustness, resilience, and security of the world's undersea communications cable infrastructure. (186 pages)

Source: Highlights compiled by CRS from the reports.

Note: Page counts are documents; other cited resources are web pages.

Table 6. Transportation

(includes Coast Guard, air traffic control, ports and maritime, automobiles)

Title

Source

Date

Notes

Cybersecurity

Homeport, U.S. Coast Guard

Continuously Updated

Links to regulations, guidelines, advisories and alerts, and news pertaining to maritime cybersecurity.

Guidance: Navigation and Vessel Inspection Circular; Guidelines for Addressing Cyber Risks at Maritime Transportation Security Act Regulated Facilities

U.S. Coast Guard

July 12, 2017

The Coast Guard announces the availability of draft Navigation and Inspection Circular (NVIC) 05-17; Guidelines for Addressing Cyber Risks at Maritime Transportation Security Act (MTSA) Regulated Facilities, and requests public comment on the draft. This NVIC proposes to clarify the existing requirements under MTSA to incorporate analysis of computer and cyber risks and guidance for addressing those risks. This NVIC would provide guidance on incorporating cybersecurity risks into an effective Facility Security Assessment (FSA), as well as additional recommendations for policies and procedures that may reduce cyber risk to operators of maritime facilities. (3 pages)

Federal Motor Vehicle Safety Standards; V2V Communications

National Highway Traffic Safety Administration Proposed Rule

January 12, 2017

The document proposes to establish a new Federal Motor Vehicle Safety Standard (FMVSS), No. 150, to mandate vehicle-to-vehicle (V2V) communications for new light vehicles and to standardize the message and format of V2V transmissions. This will create an information environment in which vehicle and device manufacturers can create and implement applications to improve safety, mobility, and the environment. (166 pages)

Letter to Federal Communications Commission re: Vehicle-to-Vehicle Communications

Senators Ed Markey and Richard Blumenthal

August 4, 2016

The Senators said the FCC should ensure that spectrum set aside for the vehicle-to-vehicle transmissions, also known as Dedicated Short Range Communications, is used only for safety applications. (3 pages)

Automotive Cybersecurity Best Practices: Executive Summary

Automotive Information Sharing and Analysis Center

July 21, 2016

The best practices are meant to serve as guidance in the development of automotive cybersecurity in seven key areas: governance, risk assessment and management, security by design, threat detection and protection, incident response, awareness and training, and collaboration and engagement with appropriate third parties. (8 pages)

Request for Public Comments on NHTSA Enforcement Guidance Bulletin 2016-02: Safety-Related Defects and Emerging Automotive Technologies

National Highway Traffic Safety Administration

April 1, 2016

The proposed Enforcement Guidance Bulletin sets forth NHTSA's current views on emerging automotive technologies—including its view that when vulnerabilities of such technology or equipment pose an unreasonable risk to safety, those vulnerabilities constitute a safety-related defect—and suggests guiding principles and best practices for motor vehicle and equipment manufacturers in this context. (5 pages)

Vehicle Cybersecurity: DOT and Industry Have Efforts Under Way, but DOT Needs to Define Its Role in Responding to a Real-world Attack

GAO

March 24, 2016

This report addresses, among other things, (1) available information about the key cybersecurity vulnerabilities in modern vehicles that could impact passenger safety; (2) key practices and technologies, if any, available to mitigate vehicle cybersecurity vulnerabilities and the impacts of potential attacks; (3) views of selected stakeholders on challenges they face related to vehicle cybersecurity and industry-led efforts to address vehicle cybersecurity; and (4) DOT efforts to address vehicle cybersecurity. (61 pages)

Guidelines on Cyber Security Onboard Ships

Baltic and International Maritime Council (BIMCO)

January 4, 2016

A first set of guidelines for the shipping industry contains information on understanding cyber threats, assessing and reducing risks, how to developing contingency plans, and identifying vulnerabilities and potential targets for cybercriminals. (36 pages)

Section 1201 Rulemaking, Proposed Exemptions of Vehicle Software

Department of Transportation (DOT) General Counsel

September 9, 2015

DOT "is concerned that there may be circumstances in which security researchers may not fully appreciate the potential safety ramifications" if their findings are released to the public, according to a DOT letter to federal Intellectual Property regulators, who are considering a proposal to allow the public to circumvent copyright protection measures attached to vehicle software. (3 pages)

United States Coast Guard Cyber Strategy

U.S. Coast Guard

June 16, 2015

Among the concrete objectives is development of formal guidance for commercial vessel and waterfront facility operators on evaluating cybersecurity vulnerabilities, which the Coast Guard began in January 2015, when it kicked off a public process that will result in issuance of a Navigation and Vessel Inspection Circular. The document details how cybersecurity will become an element of Maritime Transportation Security Act (P.L. 107-295) enforcement. (44 pages)

Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk

Senator Edward Markey

February 11, 2015

Nearly all modern vehicles have some sort of wireless connection that could potentially be used by hackers to remotely access their critical systems. Companies' protections on those connections are "inconsistent and haphazard" across the industry. In addition to security weaknesses, the survey also found that many auto companies are collecting detailed location data through pre-installed technological systems in cars and often transmitting it insecurely. (14 pages)

Inquiry into Cyber Intrusions Affecting U.S. Transportation Command Contractors

Senate Armed Services Committee

September 17, 2014

Hackers associated with the Chinese government successfully penetrated the Transportation Command (TRANSCOM) contractors' computer systems 20 times in a single year. Chinese hackers tried to get into the systems 50 times. The congressional committee found that only two of the intrusions were detected. It also found that officials were unaware due in large part to unclear requirements and methods for contractors to report breaches and for government agencies to share information. (52 pages)

Source: Highlights compiled by CRS from the reports.

Note: Page counts are documents; other cited resources are web pages.

Table 7. Other Critical Infrastructure

Title

Source

Date

Notes

Cyber Risk Economics Capability Gaps Research Strategy

Department of Homeland Security (DHS)

October 19, 2018

Government and industry should focus their cyber research efforts on how to better hold component manufacturers responsible for cybersecurity lapses that could endanger vast amounts of data across entire supply chains.

Strategy for Protecting and Preparing the Homeland Against Threats of Electromagnetic Pulse and Geomagnetic Disturbances

DHS

October 9, 2018

The potential severity of both the direct and indirect impacts of an electromagnetic pulse (EMP) or geomagnetic disturbances (GMD) incident compels our national attention. The DHS has been actively analyzing the risk of the EMP-GMD problem set since its inception. The report represents DHS's first articulation of a holistic, long-term, partnership-based approach to confronting this challenge.

Threats to Precision Agriculture

DHS

October 4, 2018

The report says that emerging digital technologies in the agricultural sector face a number of cybersecurity threats. The technologies, known collectively as "precision agriculture," include Internet of Things (IoT) devices and the networks on which they rely. The report warns that devices and systems could be compromised through phishing attacks, infected USB drives, and other vectors. Attacks could be leveraged to steal data, damage equipment, harm crops and livestock, and damage reputations. The report lists best practices for agricultural businesses.

Space, the Final Frontier for Cybersecurity?

Chatham House, Royal Institute of International Affairs

September 2016

Analyzing the intersection between cyber and space security is essential to understanding this non-traditional, evolving security threat. Cybersecurity and space security are inextricably linked. Technologies in satellites and other space assets are sourced from a broad international supply base and therefore require regular security upgrades. The upgrades via remote connections could serve to make space assets vulnerable to cyberattacks. In everyday life, satellites are regularly used to provide Internet services and global navigation satellite system (GNSS) technologies that are increasingly embedded in almost all critical infrastructures. (46 pages)

FBI Cyber Bulletin: Smart Farming May Increase Cyber Targeting Against US Food and Agriculture Sector

Federal Bureau of Investigation (FBI)

March 31, 2016

The FBI and the US Department of Agriculture (USDA) assess the Food and Agriculture (FA) Sector is increasingly vulnerable to cyberattacks as farmers become more reliant on digitized data. Although precision agriculture technology (a.k.a. smart farming) reduces farming costs and increases crop yields, farmers need to be aware of and understand the associated cyber risks to their data and ensure that companies entrusted to manage their data, including digital management tool and application developers and cloud service providers, develop adequate cybersecurity and breach response plans. (6 pages)

Source: Highlights compiled by CRS from the reports.

Notes: Page counts are documents; other cited resources are web pages.

Author Contact Information

[author name scrubbed], Senior Research Librarian ([email address scrubbed], [phone number scrubbed])

Acknowledgments

The author would like to thank Rebecca Annis, CRS information research specialist, for her contributions in updating the report.

Footnotes

1.

See P.L. 107-56, §1016(e). Homeland Security Presidential Directive Number 7 (HSPD-7), Critical Infrastructure Identification, Prioritization, and Protection, released December 17, 2003, went further to describe the level of impact the loss of an asset must have to warrant considering the asset as "critical." This included causing catastrophic health effects or mass casualties comparable to those from the use of weapons of mass destruction; impairing federal agencies' abilities to perform essential missions or ensure the public's health and safety; undermining state and local government capacities to maintain order and deliver minimum essential public services; damaging the private sector's capability to ensure the orderly functioning of the economy; having a negative effect on the economy through cascading disruption of other infrastructures; or undermining the public's morale and confidence in our national economic and political institutions. HSPD-7 has since been superseded by PDD-21.

2.

See Critical Infrastructure Security and Resilience, The White House, February 12, 2013 at http://www.whitehouse.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil.