In the digital age, organizations and the missions and business processes they support rely on information technology and information systems to achieve their mission and business objectives. Not only is technology used to efficiently enable businesses to carry out operational activities, but it is also the backbone for the United States' critical infrastructure. Although technology may reduce risks associated with the human factor and legacy data-processing, it introduces new risks that, if left unaddressed, could result in adverse impacts on critical infrastructure.
The dependency on the 16 United States critical infrastructure sectors is crucial, as they provide vital services, stability, and resources that enable the country to function. The U.S. acknowledges that adequate critical infrastructure protection cannot be achieved by the U.S federal government alone. The security of critical infrastructure components requires the governance and support of private sector organizations across various infrastructure sectors. Adopting, implementing, and integrating security practices across federal and private entities is necessary to achieve critical infrastructure cyber resiliency.
The NIST Cybersecurity Framework
To strengthen the case for critical infrastructure cybersecurity, President Barrack Obama issued Executive Order (EO) 13636 in February 2013. The Executive Order focused on strengthening cybersecurity between the federal and private industries, and it calls for a cybersecurity framework that can be applied to both government and private industry to improve critical infrastructure cybersecurity. The Executive Order resulted in the creation of the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), which was initially released in February 2014.
The current version of the Cybersecurity Framework provides a flexible approach that can be tailored to adapt to any organization, small or large. At its core, the Cybersecurity Framework consists of five different functions: Identify, Protect, Detect, Respond, and Recover. The functions can also be broken down further into categories, subcategories, and informative references.
Achieving Cyber Resiliency with the Framework Functions
The activities within the identify function build the foundation for the rest of the framework's core functions. Organizations depend on assets to carry out their mission-essential business functions. Therefore, these assets must be properly identified and valuated. Traditionally, organizations have been led to believe that they can never have enough cybersecurity protective measures in place. However, that is usually not the case. Organizations should protect assets in a manner that is commensurate with the value in which those assets provide to the organization. Ultimately, protective measures should be based on the results of risk analysis in addition to cost/benefit principles.
As previously stated, the identify function acts as the foundation for the rest of the CSF core functions. Once assets have been identified and valuated, protection measures can be applied. Protection measures may include a combination of physical, technical, and administrative controls including, but not limited to, maintenance, identity and access management, and security awareness and training. Regardless of the protection measures selected, they should be consistent with asset value and the potential adverse impacts to mission and business objectives.
The detect function is a critical core component of the CSF and continuous monitoring. For instance, if personnel cannot detect potential attacks, then how can cyber professionals thwart them or reduce their impact? Government and industry are faced with cyber events daily. Appropriate detection requires tools and adequately staffed teams of cyber detection and incident response specialists with the proper skills to monitor systems and networks for abnormal events. Real-world implementation of intrusion detection capabilities includes the U.S Cybersecurity and Infrastructure Security Agency’s EINSTEIN system, which is used to detect and block malicious traffic across the Federal Civilian Executive Branch (FCEB).
Detecting indicators of potential threats and attacks is one thing. However, formulating that information into a response plan is a different story. As previously stated, the first step is to detect security events and possible incidents. The respond function goes a step further. Once an incident has been detected, designated personnel should initiate their organization's incident response procedures. Speaking of response, the Continuous Diagnostics and Mitigation (CDM) program comes to mind. CDM was established to further optimize the continuous monitoring capabilities of the U.S. Federal Government. It provides real-time information and events regarding the landscape of threats and vulnerabilities to systems and networks with interactive dashboards. CDM helps federal agencies increase visibility, strengthen cyber capabilities, and streamline reporting efforts.
The timely recovery of assets is vital to the continuity of business operations regarding critical infrastructure sectors. As early as the identify function, a Business Impact Analysis (BIA) is a must. The BIA results in the identification of Recovery Time Objectives (RTO), Maximum Tolerable Downtime (MTD), and Recovery Point Objectives (RPO) for each mission and business function and associated IT assets. These can later be used as the basis for business continuity planning and disaster recovery. Planning for the recovery and reconstitution of information technology assets is crucial to the resumption of business operations between both private organizations and the U.S. Critical Infrastructure as a whole.
There are a variety of threats that face the U.S Critical Infrastructure. These threats can range from physical and environmental issues to external actors and insider threats. The Cybersecurity Framework is an excellent resource for integrating and aligning security risk management activities between the federal and private sectors. The CSF provides a flexible risk-based approach that can be applied to all stakeholders and organizations that support the United States' critical infrastructure. By leveraging the CSF, both commercial industry and governmental agencies can effectively manage critical infrastructure cyber risk as well as increase communication and information sharing between federal and private sector organizations.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.