Skip to content

CISA CPGs will likely set acceptable standards for organizational cybersecurity posture across critical infrastructure

November 20, 2022 – Published on Industrial Cyber

Intending to reduce cyber risk across critical infrastructure sectors, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) published a set of voluntary and not comprehensive cross-sector cybersecurity performance goals (CPGs) to help establish a standard set of fundamental cybersecurity practices for the critical infrastructure sector. These baseline objectives will likely help raise industrial cybersecurity posture while prioritizing decisions, spending, and driving action. 

Developed by the Department of Homeland Security, through the CISA, at the direction of the White House, the CPGs are designed to be easy to understand and communicate with non-technical audiences. The CPGs were informed by existing cybersecurity frameworks and guidance, along with real-world threats and adversarial tactics, techniques, and procedures observed by the agency and its partners. Furthermore, these benchmarks look to improve OT cybersecurity, apart from responding to OT cyber incidents more rapidly and effectively. 

“The CPGs are essentially a subset of the NIST CSF and have the potential to help smaller or resource-limited critical infrastructure organizations to start or further mature their cybersecurity program,” Chris Warner, senior security consultant for OT governance and risk at GuidePoint Security, told Industrial Cyber. “The CPGs could help bridge IT, OT, and the business to start working together on actionable, less complicated guidance to increase their cybersecurity posture and continue to enhance their cybersecurity program by aligning to the NIST CSF and IEC 62443.” 

Warner added that the challenge is that different cross-sector organizations use such diverse systems, different terminology, and limited expertise in OT/ICS departments and may rely on IT cybersecurity in their organizations. “There will need to be an effort to establish more collaboration between IT, OT, and the business to develop enterprise cybersecurity programs that include a Governance, Risk, and Compliance (GRC) department that addresses OT/ICS security.”

Read More HERE.