Exclusive: Biden admin launching new chemical sector cyber strategy
Add Axios as your preferred source to
see more of our stories on Google.
The Total Energies Leuna refinery in Germany in Oct. 2022. Photo: Jan Woitas/picture alliance via Getty Images
The Biden administration will announce a new 100-day sprint later today aimed at better protecting chemical facilities and manufacturers from cyberattacks, a senior administration official tells Axios.
Why it matters: The chemical sector has been running on cybersecurity regulations that haven't been updated in more than a decade. Those are no longer enough to fend off the sprawling threat facilities face, the official said.
The big picture: The administration has been focusing on strengthening cyber practices among the country's 16 critical infrastructure sectors, one industry at a time.
- The senior administration official told Axios that today's plan incorporates lessons learned from previously announced initiatives involving the electric sector, oil and gas companies and water systems — such as looping in the industry and collecting feedback before launch.
Details: The senior administration official told Axios the plan coming today from the White House and the Cybersecurity and Infrastructure Security Agency will have several components to it — mirroring previous 100-day sprints for the electric, oil and gas and water sectors.
- During the sprint, CISA and the Chemical Sector Coordinating Council, a group of 15 chemical industry groups, will form a new task force to discuss ways to implement and solicit feedback on issues that arise.
- The agency and coordinating council will also collaborate to encourage more chemical companies to adopt cybersecurity monitoring tools, which helps companies detect unusual activity on the systems that actually run their physical machinery.
- CISA will also work with the chemical sector to create a mechanism to foster more threat information-sharing between the agency and the sector.
- CISA plans to explore creating new incentives for the industry as a means of encouraging operators to participate in the voluntary program.
A senior CISA official also told Axios that the agency will encourage the chemical sector to adopt new cybersecurity performance goals it's releasing later this week, which will lay out baseline guidelines for all critical infrastructure sectors.
- "If we're going to be having this focused effort on the chemical sector, we don't want to lose the opportunity to push the sector to make the kind of overall improvements in their cybersecurity that we think are needed," the CISA official said.
The intrigue: Unlike other sectors' sprints, the chemical one will solely run through CISA since the agency is also the chemical sector's risk management agency.
- Other sprints have involved the Energy Department, Transportation and Security Administration and the Environmental Protection Agency as partners.
What they're saying: "100 days is not a lot of time for big cybersecurity changes," the CISA official said.
- "But this is a matter of putting as much pressure as we can to make as much progress as we can now and then identify how we can continue this progress over the long-term."
What's next: During the 100-day sprint, CISA will be focused heavily on trying to jumpstart cybersecurity changes within the sector, but the CISA official said these conversations will continue even after the sprint is over.
- The administration is also expected to focus on the healthcare and communications sectors in the coming months.
