CISA updates Secure Tomorrow toolkit to improve critical infrastructure defenses

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated the Secure Tomorrow Series toolkit to increase the preparedness of critical infrastructure owners and operators. These stakeholders face numerous challenges as social, technological, economic, environmental, and political changes lead to new and evolving risks at an ever-increasing pace. At the same time, the demands of operations, business, and other priorities compete for their time and attention, at the expense of the ability to focus on future resilience and security requirements.

“Given the numerous risk factors and the time demands of everyone involved, asking the right questions is critical to gaining better insights,” wrote Erin Walsh, deputy director of strategic foresight at CISA, in a news post. “While everyone wants to be prepared for whatever is on the horizon, discussions about an uncertain future can seem daunting, and an unfocused approach can lead to vague and unworkable strategies that can leave organizations and their employees less secure and less resilient.”

The Secure Tomorrow Series toolkit is designed to help fill this gap by structuring and facilitating these discussions. Each year, CISA selects three topics that have the potential to disrupt multiple national critical functions and examines how these topics may lead to emerging and evolving risks that impact critical infrastructure resilience and security. The update introduces three new topics – information and communications technology supply chain resilience, advanced manufacturing, and water availability.

These topics complement the existing Secure Tomorrow Series toolkit library, which covers brain-computer interfaces, synthetic biology, quantum technologies, anonymity and privacy, trust and social cohesion, and data storage and transfer.

Walsh added that CISA is using this knowledge base to build a toolkit for strategic foresight activities. The idea is to compile best practices, high-quality prompts, and extensive supporting materials so that critical infrastructure partners can safely bring together participants with subject-matter, regional, and sector-specific expertise and productively arrive at relevant and actionable risk mitigation strategies. The Secure Tomorrow Series toolkit products help filter and differentiate the real concerns arising from each topic, which participants can then anchor in the realities of their situation.

“Each toolkit activity is carefully designed to enable the activity sponsor to engage with their critical infrastructure community in a fun, challenging and productive way,” Walsh explained. “From matrix games that can be played in a single morning or afternoon session to one-day scenario workshops that integrate multiple topics to highlight systems and emerging risks, the toolkit offers activities geared toward varying levels of participation and time commitment. The hope is that these activities will result in greater risk mitigation insights that participants can bring back to their organizations, while strengthening networks to engage in further planning and implementation.”

In a publication titled “Scenario Workshop 3 – Summaries: Scenario Workshop – Scenario Summaries,” CISA noted that the workshop will use hypothetical scenario narratives to help participants explore how the operating environment for critical infrastructure owners and operators might evolve over the next three to seven years and how that evolution might impact the security and resilience of critical infrastructure systems.

The workshop’s three scenarios focus on plausible future changes related to three current issues in the areas of advanced manufacturing, information and communications technology, supply chain resilience and water availability.

CISA explained that different regions of the United States are increasingly at risk of too much or too little water. The three issues that have exacerbated jurisdictions’ water problems are the increasing impacts of climate change, aging water infrastructure, and lack of public trust.

So far, efforts to address these problems have proven inadequate. For example, the clean energy transition to reduce greenhouse gas emissions and combat climate change has been hampered by slower-than-expected adoption of electric vehicles, challenges in developing and retraining the workforce, and the failure to integrate new materials and greener processes at scale. A more moderate future will require excessive efforts to address these problems in the future.

The second scenario focuses on the 2020s, a time when the United States enters a new era of great power competition, driven primarily by the pursuit of technological leadership. Efforts to control key technologies such as semiconductors lead to partial international decoupling, reshoring of production in critical sectors, and tensions in supply chains.

CISA found that despite significant success in bringing production of critical technologies domestically, the United States faces an uncertain future through 2030, as it is not clear whether its policies and investments of the past decade will be sustainable without permanent government subsidies and ongoing protectionism. In addition, protectionist trade and investment policies have limited U.S. access to several international markets. At the same time, the advent of artificial intelligence has changed the landscape for both cyberattacks and cyberdefense.

The third scenario examines the situation in Monroe, where the city has announced that its water supply is sufficient to last less than six months, which would result in drastic cuts that would significantly impact both residents and businesses. “However, Monroe is just one of many cities across the United States likely to face a water crisis. Water systems face many stresses, but one of them is underestimated: the needs of the energy sector,” CISA added.

As the United States pursues an energy transition (i.e. investing in alternative fuels, photovoltaics, electric batteries, etc. to reduce carbon dioxide emissions), energy demand is increasing, leading to greater dependence on traditional energy sources, at least in the short term.

“Energy production is a water-intensive process, as is the production of the equipment needed to produce it,” the CISA statement says. “The author of the scenario’s fictional essay advocates a more holistic approach to water resources: examining needs and finding solutions across different jurisdictions (as long as they draw on the same water sources) and sectors, particularly in the energy and agriculture sectors.”

Last month, Secretary of Homeland Security Alejandro N. Mayorkas provided strategic guidance to strengthen critical infrastructure security and resilience. The directive, based on President Joe Biden’s National Security Memorandum (NSM-22), directs federal agencies, critical infrastructure owners, and other stakeholders to focus on specific risk areas. It also lays out priorities for the 2024-2025 National Critical Infrastructure Risk Management Cycle defined in NSM-22. This comprehensive effort, planned for the next two years, is designed to protect the critical infrastructure systems that are essential to everyday American life.

Anna Ribeiro

Editor for Industrial Cyber ​​News. Anna Ribeiro is a freelance journalist with over 14 years of experience in security, data storage, virtualization and IoT.