Regulatory harmonization in critical OT infrastructure faces obstacles

In an effort to increase the cyber resilience of critical infrastructure, the Office of the National Cybersecurity Director (ONCD) recently published a summary of feedback from the Request for Information (RFI) for the harmonization of cybersecurity regulations for 2023.

The responses reveal serious concerns on the part of the party critical infrastructure operational technology (OT) industries such as energy, transportation and manufacturing. Their concerns include the current fragmented regulatory landscape and difficulties in adapting to new cyber regulations. The frustration seems to be unanimous.

Meanwhile, the scale of the threat to critical infrastructure is constantly growing. According to the 2024 IBM X-Force Threat Intelligence Index, 69.6% of attacks that X-Force responded to in 2023 targeted critical infrastructure organizations. With a low downtime threshold, critical infrastructure is a high-value target for adversaries.

Consensus among OT-related industries

Overall, the OT critical infrastructure industry agrees that a lack of regulatory harmonization harms both cybersecurity performance and business operations. For example, the Business Roundtable, an association of more than 200 CEOs of leading U.S. companies, noted: “Duplicate, conflicting or unnecessary regulations require companies to devote more resources to meeting technical compliance requirements without improving cybersecurity performance.”

Industries in these sectors are calling for a more streamlined and coordinated approach to cybersecurity regulation. We hope for less redundancy and a more consistent security framework.

Learn about IBM cybersecurity services

Growing pains and cybersecurity regulation

Unlike highly regulated sectors like healthcare and financial services, OT-related critical infrastructure faces significant hurdles in adapting to rapidly changing cybersecurity regulations – not to mention looming cyber threats.

OT sectors have traditionally focused more on physical security and operational efficiency, with cybersecurity often taking a backseat. The introduction of new safety regulations has exposed these industries to intense learning. To achieve compliance, this means significant investment in both time and resources.

One of the main issues is the divergence in regulations across jurisdictions and sectors. This complicates compliance for companies operating in multiple regions. A patchwork of requirements creates confusion and inefficiency because companies must adhere to multiple, often conflicting, sets of rules.

Information technology (IT) systems are more standardized and benefit from a long history of IT security development. Meanwhile, OT systems are often custom-made, and any system downtime can have serious consequences. This makes implementing cybersecurity measures more complex and costly. Additionally, legacy OT systems were not designed with cybersecurity in mind, making them difficult to protect against today’s cyber threats.

Pursuing the adoption of regulations

Over the past four to five years, several new cybersecurity regulations have been introduced targeting OT-related critical infrastructure industries. Notable examples include CISA’s guidance on industrial control systems and NIST’s updates to its Cybersecurity Framework (CSF) to better address OT environments.

However, the process of adopting these new guidelines has been fraught with delays. Many industries have struggled to incorporate these provisions into existing operational frameworks, often citing a lack of transparency and support from regulators. Additionally, the complexity of OT systems and their continuous operation make it difficult to implement security measures without disrupting core operations.

Analysis of proposed harmonizations

While ONCD’s efforts to harmonize cybersecurity regulations are commendable, industry stakeholders believe that without significant leadership and coordination at the federal level, true regulatory harmonization may remain elusive. Can the proposed framework effectively bridge the gap between diverse regulatory requirements and the unique needs of each sector? Only time will tell.

Moreover, some fear that the drive for harmonization may lead to burdensome regulations that do not take into account sector-specific nuances. This may result in a one-size-fits-all approach that is inappropriate for the complex OT critical infrastructure landscape.

The need for better harmonization of regulations was clearly recognised. ONCD’s ongoing dialogue with industry stakeholders and the pilot reciprocity framework are steps in the right direction. However, much work remains to ensure that these initiatives translate into measurable safety improvements.

Continue reading