The U.S. government has released a new set of standards aimed at preventing cyber-attacks on the nation’s critical infrastructures including energy and transport systems, manufacturing, food and agriculture, and financial institutions.
The National Institute of Standards and Technology collaborated with hundreds of private sector companies on the guidelines which were released Wednesday.
The so-called cybersecurity framework are, for now, completely voluntary.
The guidelines come one year after Obama issued a cybersecurity executive order in an attempt to get the private sector and government to communicate and plan for cyber intrusions.
“This voluntary Framework is a great example of how the private sector and government can, and should, work together to meet this shared challenge,” President Obama said in a White House statement earlier this week.
The framework sets out a core set of cybersecurity activities for companies, as well as the desired outcomes. Businesses must be able to identify risk and implement safeguards, as well as detect and respond to a breach. They must also design a recovery plan so they can quickly restore capabilities and services after an event. Companies are ranked based on their level of preparedness.
Cypersecurity is top of mind for many businesses, especially banks and financial services. A recent breach of 40 million credit and debit card records and 70 million other records containing personal customer data from Target—the third-largest retailer in the U.S.—has left many asking why security is not tighter.
Other industries impacted by the new standards include the chemicals sector, emergency services, defense, and manufacturing.
Manufacturing is considered a prime target for attack because it makes up 13 percent of U.S. gross domestic product and directly employs an estimated 11.7 million of the nation’s workforce.
The guidelines directly address the manufacture of metals and machinery, electrical equipment, vehicles, and aviation and aerospace product and parts.
This could have far reaching consequences for manufacturers and their extensive supply chains. And as products become more connected through software, cybersecurity will be an even greater issue.
Surprisingly, while the communications sector is a significant target of the new standards, many Silicon Valley techies—especially smaller firms—have had limited involvement. But this is likely to change going forward.
Phyllis Schneck, the deputy undersecretary for cybersecurity at the Department of Homeland Security said this week that the cyber-resilience of Silicon Valley companies that don’t fall under the definition of “critical infrastructure” is of huge concern. Schneck cited the deep connection such firms have to Americans’ lives.
Rockwell Automation and Motorola Solutions were among the first to release statements conveying their support of the cybersecurity framework.