America's long-awaited cyber attack reporting rules for critical infrastructure operators are inching closer to implementation, after the Feds posted a notice of proposed rulemaking for the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA).

President Joe Biden signed CIRCIA into law in March 2022, and that set a timer for the US Cybersecurity and Infrastructure Agency (CISA), which had two years to propose a rule.

As proposed, the 447-page rule [PDF] would require organizations that fall under any of the United States' 16 critical infrastructure sectors to report "substantial cyber incidents" within 72 hours of discovering them. This essentially includes any digital intrusion that leads to substantial harm, poses a significant threat to the organization's ability to function, or threatens national security, public health, or safety.

It also would require these organizations to report ransom payments within 24 hours.

"These reports will allow us to rapidly deploy resources and render assistance to victims suffering an attack, analyzing and cutting reporting across sectors to spot trends, and quickly share that information with network defenders to warn other potential victims," a senior CISA official told reporters on Wednesday.

The reports won't be publicly disclosed - both to encourage compliance and also to protect those providing critical services to the public, it was said. However, "key information" about a cyber attack - with the specific victim being anonymized - will be shared with the relevant industry sectors to help them protect against subsequent issues, the official added.

The rule does have an exception for critical infrastructure orgs that fall under the US Small Business Administration's small-business size standard, based on number of employees or annual revenue. This means some small water and wastewater systems, or energy cooperatives, for example, won't have to meet the reporting requirements.

These cyber incidents are reports to CISA via a website, which the senior official said would be released alongside the final rule. Between now and then, CISA will develop detailed guidelines for reporting - including the specific procedures and required information - and also work with other government agencies to streamline critical orgs' reporting requirements.

The information required, however, "is likely to be far more technical than the kind of broad information that you see in responses to the SEC and the 8K filings that companies are doing under SEC reporting requirements," the CISA official explained. 

It will likely include indicators of compromise, a list of any vulnerabilities that may have been used in the cyber attack, and what impact the incident had on systems and operations. 

"We're seeking more specific information because that is how you will use it to enable broader cyber defense across the ecosystem," the CISA official noted.

The proposal is scheduled to publish in the Federal Register on April 4, and from that time the public will have 60 days to submit written comments before the regulations become law. CISA expects to publish the final rule within 18 months after the public comment period closes.

Since 2022, CISA has sought input from both the public and private sectors on CICRIA via an earlier request for information and subsequent listening sessions.

More secure? Or just more bureaucracy

As the latest comment period opens, one issue that will likely receive some pushback from industry is the added layer of compliance that the cyber security reporting rule will put onto critical infrastructure owners and operators.

"There's already a huge, huge strain on resources - and not just financial but human resources - to maintain compliance across all critical infrastructures," Chris Warner, operational technology security strategist at GuidePoint Security, told The Register. "OT security folks don't grow on trees."

Warner used three separate Florida water districts as examples. "They had five people in IT, doing the OT security, so they don't even have the resources or the funding."

There's a lot of work to be done, likely via legislation, to harmonize sector mandates across all of the state and federal bodies that oversee sectors as varied as water agencies, energy utilities, and health care facilities, he added. 

"Unfortunately, it's going to take a long time for that to happen," Warner lamented. "And that's too long because we're seeing a significant increase in attacks."

The mandated cyber reporting "is a good move in the right direction," he added. And certain pieces of the proposal - including bringing back the Chemical Facility Antiterrorism Standards (CFATS), which expired in July 2023 - will make the country safer, Warner believes. 

"Give these companies a chance to build up their [cyber security] programs," he argued. "Many of these have small security departments that don't have a full appreciation of the OT side - that's where the rubber meets the road, the actual things that run our nation."

There's already a shortage of OT security personnel, and adding compliance requirements will further strain financial and personnel resources, Warner added. 

"They are inundated with trying to implement these new frameworks, or adhere to frameworks in parallel with compliance so they don't get fined to death," he argued. "And then adding legislation that you need to report it in this certain way - CISA could dial it down, have a focal point for one reporting structure." ®

https://www.theregister.com//2024/03/28/critical_infrastructure_cyberattack_reporting/