One of our nations many pressing cyber security issues (that we have still made very little actual progress towards) is strengthening the collective security of our critical infrastructure Information Technology (IT) fabric. Now, I know everyone’s first response will be: “Not true, we now have a cyber security framework; an agreement between the public and private sectors regarding how to measure cyber security risk, how to discern a cyber security program’s level of influence and, most importantly, an articulation of classes of controls (the Framework Core), organizations need to consider when protecting information systems and data.”
While certainly an important first step, the cybersecurity framework, as written, will not actually do much to lessen a critical infrastructure member’s risk from unauthorized access or misuse. It may play well in the halls of Congress and member organization board rooms, but cyber security practitioners all know that voluntary broad brush-stroke style guidelines almost never make for better cybersecurity. The next (more difficult, but also more important) step should be to reach agreements over how to (collectively) use the framework to actually “ harden” the nations digital critical infrastructure. There are also many areas (described below) that the U.S. Government can play a critical role in supporting the detailed implementation of the framework.
Why is this important? Because, when it comes to critical infrastructure, whether it is the financial or the health delivery sectors (for example), the weakest link in the chain can truly unravel the security and resiliency of these services. Now consider how the nascent Internet of Things (IOT) will eventually result in interconnecting the entirety of the critical infrastructure, and you will begin to understand why it is essential to have every member of every sector agree on how to secure their networks and systems. If everyone simply chooses to individually implement the existing broad elements of the framework (in various ways), clearly our critical infrastructure will suffer the “Swiss cheese” effect and the value of the framework will be greatly minimized.
The next big step should be to provide the critical infrastructure (and everyone else using the guide) greater specificity regarding how (exactly) to implement the “Framework Core.” Government and industry cyber security officials need to further their continued constructive dialogue by collectively rolling up their sleeves and taking on the bigger challenge: Defining in detail what the core really means and determining exactly how to measure the path to success. To do this, the members (hopefully, with Government participation) need to establish an agreement on which elements of the framework core are truly essential, in which order they should be implemented and describe in details how to satisfy and measure them.
For example, the framework core element “Identify” recommends that organizations maintain an inventory of information technology and data assets. A great idea, but now what? How does one actually identify which elements of their IT inventory are parts of the critical infrastructure? How (exactly) should the critical infrastructure use the inventory to address their collective cyber security challenges? To what degree should they be monitored, and what should we be looking for? The framework also recommends that organizations implement cyber security governance. Again, nobody is going to disagree with that. However, more important, is how to do it. What constitutes sufficient cyber security governance, who should be included and how does the governance process contribute to improving an organization’s cyber security posture?
Perhaps no single element of the framework is more important than all the members agreeing on how to identify, measure and sufficiently remediate risk. Risk assessment/management has always been a challenge to every organization. This is an area where deeper and broader guidance would greatly enhance the collective security of the member organizations. Specifically, detailed guidance should be provided on which risk assessment methodology should be used? Should we all agree to use NIST 800-37/53? If yes, what controls should we all agree to consider and how should compliance be measured.
The framework core element “Protect” is essential to how (exactly) critical infrastructure networks and systems should be secured. This is going to be the most difficult area for the critical infrastructure members to discern. Protection measures cost money and (potentially) inhibit productivity and profit. However, this is where the “rubber hits the road,” and where the cyber security framework will either be remembered as a watershed moment in cyber security history or just another guideline. For me, the key issue within this element is network security (PR.AC-5: Network integrity is protected, incorporating network segregation where appropriate). Okay, lets now decide (especially for connections to SCADA or operational IOT systems) exactly what type of separation is necessary. Another key area is data protection (PR.DS-1: Data-at-rest is protected). I recommend that the public and private sector first discuss the concept of a national critical infrastructure data identification scheme. With agreement on what critical infrastructure data actually is and how it should be commonly identified, the members will then have a basis to determine exactly how it should be protected. The result should be clear agreements on what data should be encrypted, when and even how.
The Detect framework core element is where the members can collectively work together with the U.S. Government and quickly make significant progress. The Department of Homeland Security (DHS). The National Cybersecurity and Communications Integration Center (NCCIC) has already begun working directly with members of the critical infrastructure to electronically disseminate indicators of compromise and malware signatures using a common (i.e., STIX/TAXII) language/format. This initiative needs to be expanded to include all members of the critical infrastructure community in a national cyber defense network that also allows for the use of the Einstein class of intrusion detection sensors. To accomplish this, the members need to work with the Government and reach agreement on exactly which networks/systems should be monitored, to what degree, how data should be collected and reported (e.g., STIX/TAXII) and how indicators of compromise and signatures will be used. Clearly issues like privacy and protecting proprietary information need to be considered but existing cyber intelligence partnerships have already demonstrated value and it must be a part of implementing this element of the framework.
A critical impediment to obtaining early and useful cyber-attack intelligence is directly related to the critical infrastructure member organizations’ forensic capabilities. While some members have mature programs with capable resources, others may have little to no ability to respond to cyber- attacks. The “Respond” collection of core elements is intended to guide members to implement programs that enable them to properly and (in a repeatable manner) react to attacks while collecting and disseminating critical information (e.g., RS.AN-4: Incidents are categorized consistent with response plans). Again, this is exactly were the members need to reach agreements regarding minimum capabilities, forensic processes/tools, data reporting requirements and the role of the Government. I recommend that, at a minimum, the Government (i.e., DHS) provide training and tools to enable all members of the critical infrastructure to be able to consistently collect and report on payload attack code execution. This will enable the Government to better understand and respond to attacks against the national critical infrastructure.
Lastly, the “Recovery” core provides guidance to members regarding considerations (mostly public affairs related) for recovering from cyber-attacks and applying learned knowledge. I think the most important element within this category is: RC.IM-1: Recovery plans incorporate lessons learned. This is again an area that the Government can assist the members of the critical infrastructure by collectively analyzing cyber-attack intelligence and providing members with best practices for managing incidents.
Our country has a real opportunity to now expand on the success of the cybersecurity framework by tackling the difficult task of actual implementation. It clearly will not be easy and may take (at least) a couple of years to complete. However, reaching agreement on implementation details and expanding the partnership both between critical infrastructure members and with the U.S. Government is our best chance at addressing cyber security threats, especially with the IOT right around the corner.