Skip to content ↓ | Skip to navigation ↓

When Executive Order 13636 “Improving Critical Infrastructure Cyber Security” was signed, it mandated that it is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure, with critical infrastructure being defined as systems and assets – whether physical or virtual – so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.

As the NIST Cyber Security Framework efforts begin to take a more final form with the published draft, it appeared to be a good time to give it another look to get an idea if all of this effort answers the core requirement of the executive order as identified above.

When reviewing, I was looking for guidance, context, and any direction that alluded to how a critical infrastructure organization could be more “resilient” with their critical systems that would “have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”

Its clear that the efforts by NIST and industry stakeholders will eventually become an industry standard whether through formal regulation or establish itself through legal precedence.  However, questions still arise such as, what organizational products and services would have a debilitating impact on the nation? Does this framework apply to my entire corporate environment?  How does this framework affect other regulatory requirements such as PCI, SOX, HIPAA, State Privacy laws?  Which products and services can operate at Tier one process maturity versus Tier Four?

The Department of Defense (DoD) has had similar challenges that continue to be debated depending on where the conversation is. Outside of the Critical Infrastructure sector, the DoD would be the largest user of special purpose systems by nature of their weapons programs, medical, energy and logistics capabilities.

The challenge is how to apply Cyber Security standards which historically originated from Certification & Accreditation requirements and apply them to special purpose systems. The bottom line was it was consistently difficult to apply frameworks written in the context of a CIO/IT corporate environment and then apply them to systems that don’t operate in that environment

The Department of the Navy (DoN) made an attempt to build on top of this issue by implementing a “Platform IT” program.

What is Platform IT?

Platform IT (PIT) is defined as: Computer resources, both hardware and software, that are physically part of,  dedicated to, or essential in real time to the mission performance of special-purpose systems. Examples of Platform IT can be Industrial Control Systems/SCADA as well as could also include bio-med systems for health sector, SmartGrid for Energy etc. PIT does not include general purpose systems such as email, collaboration, financial, ticketing, and scheduling applications.

By allowing for the ability to designate a system as “Platform-IT” and by that designation treating it as special purpose, the organization had some flexibility on how to implement cyber security based on the systems mission rather than a canned one size fits all framework.  Instead of controls, you would implement “countermeasures;” rather than a “Systems Development Life Cycle (SDLC)” you used systems engineering with a focus on reliability, resilience and dependencies as key performance parameters and not control compliance.

In the DoD, the Platform IT concept did not gain much traction due to its own internal policy challenges however the concept is sound. Critical infrastructures should consider designating their systems and subsystems as special purpose whether you use the Platform IT title or not.

Carve out and separate those mission critical systems and sub systems that truly provide for critical services, go through the data governance of those environments and truly understand what is critical versus what is corporate. Additionally, based on the current draft framework you are really targeting the “Identify” function of the cyber security framework but in a way that no NIST/ISO/COBIT guidance will tell you.   Understand the dependencies of those services and how resilient they are —> A good article on just how to do that:

Additionally, The Cyber Security Research Alliance and the National Institute of Standards and Technology (NIST) have recently created a report outlining recommendations on how to Design-In Cyber Security for Cyber-Physical Systems, the report can be located here:

This is a perfect example of how to apply engineering best practices and principles to systems designated as Platform IT. Remember, “compliance does not result in good security but good security does result in compliance.”

To learn more about closing the integrity gap with NIST’s cybersecurity framework, click here.


About the Author: Adam Meyer is currently the Chief Information Security Officer for one of the largest public transportation systems in the United States. Before serving in his current position Adam served as the Director of Information Assurance/Cyber Security for the Naval Air Warfare Center, Naval Air Systems Command. Prior to focusing on the Cyber Security discipline, Adam has served in positions supporting Network Engineering & Operations, Enterprise Architecture & Configuration Management, Emergency Power and Systems Engineering for organizations such as White House Communications, Army Pentagon, Joint Interoperability Test Command (JITC) and the Intelligence Community. Adam also provides specialized training and consulting services as the President of CyberWise Advantage Inc. in the areas of Business Resiliency, Data Governance, Risk Management and Systems Security Engineering with an additional focus on Cyber Security issues for small and medium sized business.

Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

Related Articles:


picTripwire has also compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].

This publication is designed to assist executives by providing guidance for implementing broad baseline technical controls that are required to ensure a robust network security posture.

The author, a security and compliance architect, examined each of the Controls and has distilled key takeaways and areas of improvement. At the end of each section in the e-book, you’ll find a link to the fully annotated complete text of the Control.

Download your free copy of The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities today.

10 Ways Tripwire Outperforms Other Cybersecurity Solutions
  • Platform IT seems like a reasonable approach. You said that generic services such as email shouldn't be included. Here's the problem with that. If critical systems are secured but email and public-facing activities are contracted out e.g. to Amazon Web Services' government/ private cloud, which is what DoD and NASA have done, the critical systems will be vulnerable. I just wrote a long elaborate example, then deleted it for discretion's sake.

    There are exotic theoretical threats running around, such as auditory signals being used to penetrate air gapped systems, and establishing a one or even two-way connection to wrest control of SCADA or other ICS, see
    I think that the real vulnerability is the mania with contracting everything out due to the belief that private is always better. Contracting can work, when personnel and equipment are on-site with supervision by critical infrastructure facility staff. I am often told that contracting is less expensive though. It is uneconomic, pointless to build systems that can't be risk-tolerably secured at a realistic cost.

  • Adam Meyer

    Ellie, thanks for the comment

    The root effort in regards to conversation around Platform IT is really to separate out the systems that really need to be resilient in regards to the nations critical infrastructure apart from an organizations general purpose systems. For example a telecom organizations billing system would not necessarily be a detriment to the nations critical infrastructure if it was compromised so it would be classified as a general purpose system even though the organization itself is in the crucial infrastructure line of business. That’s not to say it should not have reasonable protections in place to protect its data from compromise but that decision would be based on what the organizations risk tolerance and liabilities are from the data that billing system is processing. I would think your mention of email would fall into the same category whether the organization operates the email system in house or outsources it to a third party.

    To take it a step further, systems designated as Platform IT should have more of a Systems Security Engineering effort tied to it rather than a framework of controls. Engineering principles such as systems, systems of systems, threats, countermeasures, Anti-Tamper, Reliability, fault tolerant, survivable, containment etc. are examples of those principles. As you can see these are not terms your typical IT guru uses and therefore you’re not going to see an IT risk framework that enables them, although both worlds ( General Purpose & Platform IT ) utilize IT based technologies I would not have my CIO/Corporate IT types engineering my Platform IT environment although they would be a stakeholder.


    • Hello Adam!
      Thank you so much for your patient, thorough response. I understand better what you meant now.

      Vulnerability to security breaches is only one risk to which information systems and business support infrastructure are exposed. The others are risks of the sort that I know about, well, some of them, like reliability modeling, fault tolerance, worst-case scenario analysis and planning. Also, prudent data governance, especially if subject to regulation (HIPAA, SOX, financial auditing) includes identification of such data and system access rules, and data policy in the event of loss. So yes, some risks are comparatively less important, as an adverse event will have minimal impact on critical functions of the organization.

      Still… U.S. federal, state and municipal employees (and military servicemen and civilian workers) care, more than contractors do. No, that's not quite true. Those who have been government employees in the past, or in the service, are often reliable and committed (e.g. like you! You work for a large U.S. public transit system and worked directly for agencies within federal government prior to that). Well, that has been my experience when working as a Dept of Defense contractor!

      I realize that I'm straying from your original topic. I read elsewhere about The Department of the Navy's attempt to implement a Platform IT program. I wish they had been able to pursue that course of action.

<!-- -->