Regulatory harmonization in OT-critical infrastructure faces hurdles
In an effort to enhance cyber resilience across critical infrastructure, the Office of the National Cyber Director (ONCD) has recently released a summary of feedback from its 2023 Cybersecurity Regulatory Harmonization Request for Information (RFI).
The responses reveal major concerns from critical infrastructure industries related to operational technology (OT), such as energy, transport and manufacturing. Their worries include the current fragmented regulatory landscape and difficulty adapting to new cyber regulations. The frustration appears to be unanimous.
Meanwhile, the magnitude of the threat against critical infrastructure continues to grow. In the 2024 IBM X-Force Threat Intelligence Index, 69.6% of attacks that X-Force responded to in 2023 were against critical infrastructure organizations. With a low threshold for downtime, critical infrastructure is a high-value target to adversaries.
Consensus among OT-related industries
Overall, OT-related critical infrastructure industries agree that the lack of regulatory harmonization harms both cybersecurity outcomes and business operations. For instance, the Business Roundtable, an association of more than 200 chief executive officers of leading U.S. companies, noted: “Duplicative, conflicting or unnecessary regulations require companies to devote more resources to fulfilling technical compliance requirements without improving cybersecurity outcomes.”
Industries within these sectors are calling for a more streamlined and coordinated approach to cybersecurity regulation. The hope is for less redundancy and a more cohesive security framework.
Explore IBM’s cybersecurity services
Growing pains and cybersecurity regulations
Unlike highly regulated sectors such as healthcare and financial services, OT-related critical infrastructure faces major hurdles in adapting to rapidly evolving cybersecurity regulations — not to mention the looming cyber threats.
OT-sectors have traditionally focused more on physical security and operational efficiency, with cybersecurity often taking a backseat. The introduction of new security regulations has exposed these industries to a steep learning curve. And to achieve compliance, this means significant investments in both time and resources.
One of the primary issues is the divergence in regulations across different jurisdictions and sectors. This complicates achieving compliance for businesses operating across multiple regions. A patchwork of requirements creates confusion and inefficiencies as companies must comply with multiple, often conflicting, sets of rules.
Information technology (IT) systems are more standardized and benefit from a long history of IT security development. Meanwhile, OT systems are often bespoke and any system downtime can have severe repercussions. This makes implementing cybersecurity measures more complex and costly. Additionally, older OT systems were not designed with cybersecurity in mind, which makes them difficult to secure against modern cyber threats.
Striving for regulatory adoption
In the past four to five years, several new cybersecurity regulations have been introduced targeting OT-related critical infrastructure industries. Notable examples include CISA’s guidelines for industrial control systems and the NIST updates to its Cybersecurity Framework (CSF) to better address OT environments.
However, the process of adopting these new guidelines has been fraught with delays. Many industries have struggled to integrate these regulations into their existing operational frameworks, often citing a lack of clarity and support from regulatory bodies. Additionally, the complexity of OT systems and their continuous operation make it difficult to implement security measures without disrupting core activities.
Scrutinizing proposed harmonizations
While the ONCD’s efforts to harmonize cybersecurity regulations are commendable, industry stakeholders feel that without significant federal leadership and coordination, true regulatory harmonization may remain elusive. Can proposed frameworks effectively bridge the gap between diverse regulatory requirements and the unique needs of each sector? Only time will tell.
Moreover, some fear the drive for harmonization could lead to onerous regulations that don’t account for sector-specific nuances. This could result in a one-size-fits-all approach unsuitable for the complex landscape of OT-related critical infrastructure.
There is a clear recognition of the need for better regulatory harmonization. The ONCD’s ongoing dialogue with industry stakeholders and its pilot reciprocity framework are steps in the right direction. Still, much work remains to ensure these initiatives translate into tangible security improvements.