High stakes consequences in the industrial sector
In the past, incident reporting dynamics strongly favored threat actors. They could learn about their prospective victims from public information sources, but targeted organizations were reluctant to disclose cyberattack or breach information for fear of reputational damage, public exposure, or other reprisals.
Incident underreporting has frequently led to inaccurate risk awareness. There’s simply not enough visibility into the speed, volume, and sophistication of cyber incidents to accurately understand the risk implications, especially in production operations. And with the industrial sector already slower to adopt new processes and technologies given complex infrastructures, incident reporting delays can double or triple the length of time needed to act in implementing the right protections.
Without this data, organizational leaders have unknowingly left their infrastructures vulnerable, and with them, millions of customers and citizens who rely on these services. Meanwhile, lawmakers have had less focus on developing policy. As the war in Ukraine demonstrates, visibility into the activities of cybersecurity threat actors, whether garden-variety criminals or nation-state military forces, is critical.
CIRCIA’s intent is to support greater information-sharing to better equip defenders to respond to incidents more quickly and effectively, and to develop better macro insights and protections. The law will also enable threat researchers – and the public – to better understand the true magnitude of present-day cybersecurity risks.
New CIRCIA requirements
CIRCIA requires owners and operators of Critical Infrastructure, including those without U.S. federal government contracts, to report cybersecurity incidents and ransom payments to the Cybersecurity and Infrastructure Security Agency (CISA) within a specified time frame.
The regulation defines Critical Infrastructure broadly. As defined in Presidential Policy Directive 21³ the category encompasses 16 sectors including energy, the defense industrial base, dams, water and wastewater systems, the chemical industry, critical manufacturing, transportation, and nuclear facilities.
This means that the rule is applicable to most, if not all OT operators, and its provisions may also apply to service providers who support organizations in those industries.
Regulation – with protection
Congress continues to debate the new CIRCIA regulation, including exactly what a ‘substantial cyber incident’ entails, and what’s needed for a covered entity to ‘reasonably believe’ that such an incident has occurred. As the law currently stands, covered entities are required to report:
- substantial cyber incidents no later than 72 hours after the affected entity reasonably believes that the incident has occurred; and
- all ransom payments within 24 hours after the payment was made.
Though these reporting requirements have already been signed into law, they won’t go into effect until they’ve been finalized by CISA. Final rules must be published no later than September 2025, but CISA may choose to develop and publish them before that date.
While the law grants enforcement powers to CISA, it also provides significant legal protections for organizations that report on cyber incidents and ransom payments. In addition, those who report on incidents can expect to receive significant assistance from the FBI and the U.S. Secret Service to help them stop attacks in real-time and bring cybercriminals to justice.
CISA’s CIRCIA is the tip of the iceberg. While groundbreaking in several ways, including endowing CISA with first-ever enforcement powers4, it’s only one of several new and proposed cybersecurity incident reporting rules in the U.S. and other countries. As threats increase, we expect to see increasing pressure on regulators to issue more rules about disclosure and cyber risk mitigation.
For example, the Securities and Exchange Commission (SEC)5 has proposed that publicly traded companies be required to disclose the nature and scope of material cyber incidents, and report their effects on company operations. The Federal Communications Commission (FCC)6 and Transportation Security Administration (TSA)[iv] have also proposed or published disclosure requirements.
In the E.U., the Directive on Security Network and Information Systems8 – along with a host of other regulations9 – mandate that Critical Infrastructure providers report breaches. On a global scale, the United Nations is discussing the parameters of an international treaty10 focused on individual data protection and cyber resilience.
How to prepare
OT operators should “prepare now for greater regulatory scrutiny, along with a climate of more frequent crises in this ever-evolving threat landscape,” explained Kamil Karmali, Sr. Global Manager for Rockwell Automation OT Cybersecurity Consulting Services.
To start, Karmali recommends you have the right defensive capabilities in place as part of an ongoing cybersecurity program, including such elements as real-time threat detection, network segmentation, endpoint security, patch management, identity and access management, incident response plans or related programs geared toward production recovery. These capabilities will typically provide the documentation needed for compliance reporting.
OT operators should also become familiar with the security incident report template on CISA’s website. This straightforward form is available here.
Building strong relationships with law enforcement can also help to ensure that OT operators are able to avail themselves of government assistance quickly, should the need arise.