Critical Infrastructure

The U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) plans to delay the publication of its much-anticipated cybersecurity incident reporting rule implementing the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”).  According to an entry on the Spring 2025 Unified Agenda of Regulatory and Deregulatory Actions, released on September

Continue Reading CISA Delays Cyber Incident Reporting Rule for Critical Infrastructure

Last month, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”), in partnership with the Federal Bureau of Investigation (“FBI”), National Security Agency, Environmental Protection Agency, and cybersecurity authorities in Australia, Canada, Germany, Netherlands, and New Zealand, published new cybersecurity guidance (the “Guidance”) related to operational technology (“OT”), i.e., systems and devices that interact with a physical environment that are commonly used in manufacturing, utilities, oil and gas production, transportation, and other industrial operations.  The Guidance, which will be of interest to any organizations that have an OT environment, is intended to help critical infrastructure entities develop and implement an OT asset inventory and taxonomy to protect their critical assets and improve incident response preparedness.  It comes in advance of upcoming cyber incident reporting requirements for critical infrastructure in the U.S. under the Cyber Incident Reporting for Critical Infrastructure Act (“CIRCIA”) and in the EU under the revised Network and Information Systems Directive (“NIS2 Directive”).  The Guidance is the latest in a series of joint releases from CISA, FBI and other U.S. and international partners on various security-related topics largely intended for critical infrastructure, including AI data security, product security bad practices, quantum computing cyber threats, and secure software development.Continue Reading CISA Publishes OT Asset Inventory Guidance for Critical Infrastructure

On July 23, the White House released its AI Action Plan, outlining the key priorities of the Trump Administration’s AI policy agenda.  In parallel, President Trump signed three AI executive orders directing the Executive Branch to implement the AI Action Plan’s policies on “Preventing Woke AI in

Continue Reading Trump Administration Issues AI Action Plan and Series of AI Executive Orders

The U.S. Federal Energy Regulatory Commission (“FERC”) recently issued Order No. 907 (the “Order”), approving a new Critical Infrastructure Protection (“CIP”) Reliability Standard, CIP-015-1.  The new standard will require covered entities that maintain certain bulk electric systems (“BES”) to implement Internal Network Security Monitoring (“INSM”) for network traffic within their “electronic security perimeter,” i.e., the logical border surrounding the network of interconnected devices that comprise a BES Cyber System.  However, as discussed below, these requirements will not go into effect for approximately three years, and many covered entities will have an additional two years before they are required to comply.Continue Reading FERC Finalizes New Internal Network Security Monitoring Requirements for Bulk Electric Systems

On June 30, 2025, the Cybersecurity and Infrastructure Agency (CISA), the Federal Bureau of Investigation (FBI), the Department of Defense Cyber Crime Center (DC3), and the National Security Agency (NSA) warned U.S. critical infrastructure organizations and other companies that the threat of cyber attacks from Iran-affiliated cyber actors is heightened

Continue Reading U.S. Government Issues Cybersecurity Warning to Critical Infrastructure Operators and Others

As many readers will be aware, the EU’s new cybersecurity directive, NIS2, imposes security, incident notification, and governance obligations on entities in a range of critical sectors, including energy, transport, finance, health, and digital infrastructure (for an overview of NIS2, see our previous post here). One of the main reasons the Commission proposed these new rules was the inconsistent ways in which Member States had implemented requirements under the prior directive, NIS. To help improve harmonization further, the Commission has now issued two guidance documents to help assess when NIS2 or sector-specific requirements apply, and to ensure that registration requirements are consistent across the Union.
Continue Reading European Commission Publishes Guidance on NIS2: Interplay with Sector-Specific Laws

On April 20, 2022, the cybersecurity authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom—the so-called “Five Eye” governments—announced the publication of Alert AA22-110A, a Joint Cybersecurity Advisory (the “Advisory”) warning critical infrastructure organizations throughout the world that the Russian invasion of Ukraine could expose them “to increased malicious cyber activity from Russian state-sponsored cyber actors or Russian-aligned cybercrime groups.”  The Advisory is intended to update a January 2022 Joint Cybersecurity Advisory, which provided an overview of Russian state-sponsored cyber operations and tactics, techniques, and procedures (“TTPs”).

In its announcement, the authorities urged critical infrastructure network defenders in particular “to prepare for and mitigate potential cyber threats by hardening their cyber defenses” as recommended in the Advisory.
Continue Reading International Cybersecurity Authorities Issue Joint Advisory on Russian Cyber Threats to Critical Infrastructure