When Executive Order 13636 “Improving Critical Infrastructure Cyber Security” was signed, it mandated that it is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure, with critical infrastructure being defined as systems and assets – whether physical or virtual – so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.
As the NIST Cyber Security Framework efforts begin to take a more final form with the published draft, it appeared to be a good time to give it another look to get an idea if all of this effort answers the core requirement of the executive order as identified above.
When reviewing, I was looking for guidance, context, and any direction that alluded to how a critical infrastructure organization could be more “resilient” with their critical systems that would “have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”
Its clear that the efforts by NIST and industry stakeholders will eventually become an industry standard whether through formal regulation or establish itself through legal precedence. However, questions still arise such as, what organizational products and services would have a debilitating impact on the nation? Does this framework apply to my entire corporate environment? How does this framework affect other regulatory requirements such as PCI, SOX, HIPAA, State Privacy laws? Which products and services can operate at Tier one process maturity versus Tier Four?
The Department of Defense (DoD) has had similar challenges that continue to be debated depending on where the conversation is. Outside of the Critical Infrastructure sector, the DoD would be the largest user of special purpose systems by nature of their weapons programs, medical, energy and logistics capabilities.
The challenge is how to apply Cyber Security standards which historically originated from Certification & Accreditation requirements and apply them to special purpose systems. The bottom line was it was consistently difficult to apply frameworks written in the context of a CIO/IT corporate environment and then apply them to systems that don’t operate in that environment
The Department of the Navy (DoN) made an attempt to build on top of this issue by implementing a “Platform IT” program.
What is Platform IT?
Platform IT (PIT) is defined as: Computer resources, both hardware and software, that are physically part of, dedicated to, or essential in real time to the mission performance of special-purpose systems. Examples of Platform IT can be Industrial Control Systems/SCADA as well as could also include bio-med systems for health sector, SmartGrid for Energy etc. PIT does not include general purpose systems such as email, collaboration, financial, ticketing, and scheduling applications.
By allowing for the ability to designate a system as “Platform-IT” and by that designation treating it as special purpose, the organization had some flexibility on how to implement cyber security based on the systems mission rather than a canned one size fits all framework. Instead of controls, you would implement “countermeasures;
” rather than a “Systems Development Life Cycle (SDLC)” you used systems engineering with a focus on reliability, resilience and dependencies as key performance parameters and not control compliance.
In the DoD, the Platform IT concept did not gain much traction due to its own internal policy challenges however the concept is sound. Critical infrastructures should consider designating their systems and subsystems as special purpose whether you use the Platform IT title or not.
Carve out and separate those mission critical systems and sub systems that truly provide for critical services
, go through the data governance of those environments and truly understand what is critical versus what is corporate. Additionally based on the current draft framework you are really targeting the “Identify” function of the cyber security framework but in a way that no NIST/ISO/COBIT guidance will tell you. Understand the dependencies of those services and how resilient they are —> A good article on just how to do that: http://timreview.ca/article/714
Additionally The Cyber Security Research Alliance and the National Institute of Standards and Technology (NIST) have recently created a report outlining recommendations on how to Design-In Cyber Security for Cyber-Physical Systems, the report can be located here:
This is a perfect example of how to apply engineering best practices and principles to systems designated as Platform IT. Remember, “compliance does not result in good security but good security does result in compliance.”
To learn more about closing the integrity gap with NIST’s cybersecurity framework, click here.
About the Author: Adam Meyer is currently the Chief Information Security Officer for one of the largest public transportation systems in the United States. Before serving in his current position Adam served as the Director of Information Assurance/Cyber Security for the Naval Air Warfare Center, Naval Air Systems Command. Prior to focusing on the Cyber Security discipline, Adam has served in positions supporting Network Engineering & Operations, Enterprise Architecture & Configuration Management, Emergency Power and Systems Engineering for organizations such as White House Communications, Army Pentagon, Joint Interoperability Test Command (JITC) and the Intelligence Community. Adam also provides specialized training and consulting services as the President of CyberWise Advantage Inc. in the areas of Business Resiliency, Data Governance, Risk Management and Systems Security Engineering with an additional focus on Cyber Security issues for small and medium sized business.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
- Implementing the Cyber Security Framework
- Don’t Reinvent the Wheel: Phil Agcaoili on the Cyber Security Framework
- NIST: It’s Time to Abandon Control Frameworks as We Know Them
- NERC CIP Version 5: One Giant Leap
Tripwire has also compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
This publication is designed to assist executives by providing guidance for implementing broad baseline technical controls that are required to ensure a robust network security posture.
The author, a security and compliance architect, examined each of the Controls and has distilled key takeaways and areas of improvement. At the end of each section in the e-book, you’ll find a link to the fully annotated complete text of the Control.
Download your free copy of The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities today.