The Department of Homeland Security (DHS) has unveiled a new set of rules for critical infrastructure reporting in the wake of cyberattacks and other cyber incidents. These rules, overseen by the CISA under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), will streamline the process for organizations to report incidents to the federal government.
Security experts have weighed in on the proposed rules, emphasizing the need for a unified approach to cybersecurity requirements across industries and government entities. Jose Seara, CEO and Founder at DeNexus, highlighted the importance of simplifying cybersecurity programs through alignment with regulators and agencies like the SEC and CISA. Meanwhile, John Gallagher, Vice President of Viakoo Labs at Viakoo, praised CIRCIA as a significant step towards enhancing awareness and coordinated responses to cyber threats in critical infrastructure.
The proposed rules are particularly focused on addressing IoT/OT/ICS vulnerabilities in critical industries and aim to accelerate information sharing and best practices within these sectors. By establishing clear reporting timelines for different types of incidents, such as cyber incidents and ransomware payments, CISA hopes to minimize the impact of breaches and reduce the window of vulnerability for organizations.
The estimated costs associated with implementing these rules, at $2.6 billion over 11 years, are seen as a modest investment considering the potential risks posed by cybercrime and critical infrastructure incidents. Overall, the industry response to the proposed rules has been positive, with many experts applauding the proactive measures taken by the DHS and CISA to strengthen cybersecurity in critical infrastructure sectors.