In this five-part series CISO Brian Lozada examines the state of cybersecurity in our nation’s critical infrastructure, what is at risk, what makes it unique and what measures can be taken to bolster its safeguards.
In my last article, I reviewed past initiatives to secure the nation’s critical infrastructure, including the Obama Administration’s 2013 executive order. For this installment, I will break down the framework and assess its pros and cons.
Framework for Improving Critical Infrastructure Cybersecurity
Since the implementation of President Obama’s executive order in 2013, a framework of best practices in identifying and responding to cyber-attacks has been developed.
The Framework for Improving Critical Infrastructure Cybersecurity was issued on February 12, 2014, to supplement existing business and cybersecurity operations within the public and private sectors.
Through the implementation of the Framework, businesses are able to identify gaps in their organizations’ cybersecurity practices by following a set of proposed guidelines to protect their cyber networks, as well as processes to protect civil liberties at the same time.
In addition, the Framework enhances interoperability by providing a common language through which government and private sector stakeholders can communicate to address and manage cybersecurity risks in the most effective ways. This common language is also used amongst independent stakeholders who are responsible for the delivery of essential critical infrastructure services (National Institute of Standards and Technology, 2014).
The Framework is comprised of three parts: the Framework Core, the Framework Profile, and the Framework Implementation Tiers. The first part, the Core, consists of “a set of cybersecurity activities, outcomes, and informative references that are common across critical infrastructure sectors, providing the detailed guidance for developing individual organizational Profiles” (pg. 4).
The Core also includes five concurrent and continuous functions (identify, protect, detect, respond, and recover) to manage cybersecurity risks that span the life cycle of an organization. The second part, the Profile, assists the organization in aligning its cybersecurity activities with “its business requirements, risk tolerances, and resources” (pg. 11).
The Profile consists of two concepts: the Current Profile of an organization, which indicates the current cybersecurity outcomes, and the Target Profile of an organization, which indicates the outcomes needed to achieve the desired cybersecurity risk management goals (National Institute of Standards and Technology, 2014).
The final part of the Framework, the Implementation Tiers, provides a tool for organizations to understand their individualized approaches to managing cybersecurity risks. Each Tier, ranging from Partial (Tier 1) to Adaptive (Tier 4), denotes the level of sophistication in cybersecurity risk management that the organization exhibits.
The level is determined based on a variety of characteristics, including how privacy and civil liberty protection is considered in regard to the management of cybersecurity risk and response tactics.
Based on the Framework, organizations are to identify their current tier, as well as their desired tier in an effort to determine how to improve their risk management initiatives to reduce cybersecurity risk to critical assets. In order to improve in their approach, organizations are encouraged to seek external guidance from federal government agencies (National Institute of Standards and Technology, 2014).
The Framework for Improving Critical Infrastructure Cybersecurity (2014) is the first step that the nation is taking in order to better prepare for the debilitating effects of a potential cyber-attack on the national critical infrastructure.
The Framework is unique in that it is a bottom-up approach, ensuring that all organizations within both the public and private sectors are internally prepared for a cyber-attack and that the cybersecurity risk management approaches in place are well aligned with the organization’s business model.
In addition, the Framework is the first step in creating unified guidelines and a common language in regard to cybersecurity that allow for more effective communicating and information sharing amongst all stakeholders to better prepare for, respond to, and recover from a cyber-attack.
Working from the inside out will not only provide guidance for individual organizations, but also will, in turn, improve the security and resilience of the entire national critical infrastructure as a whole.
Just as with any initiative, the Framework will need to be tailored to meet the individual needs of each organization that seeks to implement it; therefore, it is not a quick-fix or “a one-size-fits-all approach to managing cybersecurity risk for critical infrastructure” (pg. 2).
However, when implemented accordingly, the Framework will be successful in reducing and better managing cybersecurity risks and prioritizing the safeguarding of activities that are essential to critical service delivery within an organization. Further, the Framework will continue to be updated, improved, and developed as the nation’s cyber threat landscape continues to evolve and technology continues to advance, thereby creating a “living document” that will change as the industry evolves (National Institute of Standards and Technology, 2014).
In the final installment for this series, I will draw final conclusions about its effectiveness in preparing organizations for the possibility of cyberwar.