Learn about CIRCIA and Infrastructure Business Compliance

Much of our attention this year has been focused on problems with the economy such as high gas prices, the lack of affordable housing nationwide, and soaring inflation. While we have been distracted by the issues of increasing costs and day-to-day living, many people may have overlooked a new cybersecurity law this year called the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022.

2022’s New CIRCIA Law

Signed into law in March of this year by President Joe Biden, CIRCIA is another step toward the United States achieving a stronger cybersecurity posture. One of the major parts of the new legislation requires the Cybersecurity and Infrastructure Agency (CISA) to both develop and implement cybersecurity regulations for covered entities.

Additionally, these CISA regulations have a reporting component for certain types of cyber incidents and ransomware payments. By requiring covered entities such as companies that operate critical infrastructure such as power plants, water treatment facilities, and dams to report cyber incidents, it allows CISA to rapidly deploy resources and provide assistance to the victims of such attacks. Furthermore, CISA can analyze incoming reports across various industries to identify trends and quickly disseminate vital information to others to warn them of potential threats.

Why Another Cyber Law?

In May 2021, when Colonial Pipeline was hacked, it became glaringly apparent how vulnerable infrastructure in the U.S. really is. Colonial Pipeline is the top U.S. fuel pipeline operator and the cyberattack negatively impacted the fuel supply to nearly half of the Eastern seaboard. Not only were automobiles impacted, but the shutdown also affected the airline industry as the cyber incident created a jet fuel shortage for many carriers including American Airlines, according to a report by TechTarget.

Furthermore, the incident involved ransomware which is another issue that CISA and the U.S. government have been battling against, recommending that companies refuse to pay ransoms. The DarkSide attackers that took responsibility for the breach requested a ransom of 75 bitcoin, which was worth approximately $4.4 million at the time of the attack.

Though the U.S. Department of Justice (DoJ) was able to identify the digital address of the wallet the attackers used and were able to get a court order to seize the bitcoin, only 64 of the 75 bitcoin Colonial Pipeline paid were able to be recovered. That means the company lost approximately $2.4 million as a result. The hack of Colonial Pipeline demonstrated a serious chink in the armor of the U.S. when it came to our valuable infrastructure. As a result of the Colonial Pipeline attack and the increased, persistent cyber campaigns threatening the public sector, the Biden Administration issued an executive order on May 12, 2021, directing all government agencies to take practical steps to boost their cybersecurity.

Request for Information

The CISA has issued a request for information from the public as it works to develop new regulations as required by CIRCIA. The new CIRCIA law requires that CISA publish a Notice of Proposed Rulemaking (NPRM) within 24 months of the date of enactment of CIRCIA as part of the process for developing these regulations.

The request for information was published on Sept. 12, 2022, in the Federal Register and will remain open for a total of 60 days, closing on Nov. 14, 2022. If your company or organization works with critical infrastructure, now is the time for your voice to be heard by CISA before new cybersecurity rules are implemented. Submissions entered after the Nov. 14, 2022, deadline may not be considered.

All submissions regarding CIRCIA must include the agency name and Docket ID. Comments may be submitted electronically by doing the following:

  1. Visit www.regulations.gov and enter CISA-2022-0010 in the search field.
  2. Click the “Comment Now!” icon and complete the required fields.
  3. Enter or attach your comments.

Note that all submissions including attachments and supporting materials submitted during the public comment process will become part of the public record. Be sure not to include personal information such as account numbers, social security numbers, or names of other individuals. Also do not include confidential business information or sensitive or protected information in your public comments.

In addition to the opportunity to give input, the public and businesses involved with critical infrastructure are invited to attend a series of public listening sessions around the country. You can see the list of dates and locations on the Federal Register. Registration is encouraged for the public listening sessions and priority will be given to those who register in advance. You can register to attend one or more CIRCIA Regional Public Listening Sessions here.

How This Impacts Businesses

Any business involved with critical infrastructure in the U.S. will be impacted by CIRCIA. When the Final Rule implementing CIRCIA’s reporting requirements goes into effect, all public infrastructure owners and operators will be required to report cyber incidents and ransomware payments. Those failing to do so could face stiff penalties and even criminal prosecution as a result.

In the interim, CISA encourages critical infrastructure owners and operators to voluntarily share information about cyber incidents and ransomware payments. This information will allow CISA to render assistance as well as forewarn others about potential threats and attacks. Such information is now viewed as critical to protecting American interests.

For more information about CIRCIA 2022, contact Rulemaking Team Lead Todd Klessman at CISA at circia@cisa.dhs.gov or call (202) 964-6869.

To report unusual cyber activity, cyber incidents, or ransomware payments, contact CISA anytime day or night at report@cisa.gov or call (888) 282-0870.

If you’d like assistance with better securing your business, especially if it operates in the critical infrastructure industry, contact ORAM Cybersecurity Advisors now at (617) 933-5060 to schedule a free, no-obligation initial consultation.