What the 'Must Be This Tall to Ride Sign' says about Cybersecurity and Critical Infrastructure

When asked to summarize into 7 words or less, the National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems (‘NSM’)- yes, the memo you can’t even name in 7 words or less- Patrick Miller compared it to a “You Must be This Tall to Ride” sign (‘ThisTall’).

Must Be This Tall to Ride

Not that sign! The one that bubbles up lifelong frustration and disappointment into the hearts of 3YO children everywhere when told they can’t ride the best ride at the amusement park. And for a few adults too. Not me, of course, now that I exceed the minimal requirements to get on any ride in the park, but yes my friends, that’s what the NSM ultimately is. A ThisTall sign.

The Memorandum will start with these 4 sectors: (1) electricity subsector, (2) natural gas pipelines, (3) water/wastewater and (4) chemical sectors, but could later extend to all 16 critical infrastructure sectors.

So How Tall is ThisTall?

The NSM is an attempt to rectify the patchwork of regulations that currently exist amongst the 16 sectors identified by the Department of Homeland Security as ‘Critical Infrastructure’. ThisTall will be established through a set of baseline cybersecurity controls, expected to be released by July 28, 2022. NIST 800-53 and 800-82 are being promoted as the control sets.

The words ‘National Security’ could possibly grant the Memorandum extended reach into all 16 critical infrastructure sectors at a national level. For example, in the electric sector, where NERC CIP regulations don’t currently apply to Distribution, future security requirements could include Distribution.

Measurement will be managed by CISA along with each infrastructure’s Sector Risk Management Agencies, but since the initiative is voluntary, there is no known enforcement or monitoring function. On or before September 22, 2021, when the final details are expected to be released, we should know more about how progress will be measured.

How Hard Will it Be?

Fortunately, securing our critical infrastructure isn’t a new idea. If you’ve been implementing controls, then this shouldn’t be that difficult. You can continue to build on what you’ve already got implemented. But it is important to participate. And the earlier the better.

But don’t take my word for it. Join me and Patrick Miller in this video, as he explains all the reasons why it makes sense to act now.