In February 2014, the Obama Administration published the Framework for Improving Critical Infrastructure Cybersecurity with the aim of providing a “how-to” guide for cybersecuring critical infrastructure in the modern age. While the framework isn’t intended to be an all-encompassing solution for industrial cybersecurity, it is designed to provide a model for how to protect against certain threats.
During a recent conference presented by the Automation Federation, Samara Moore, director of Cybersecurity Critical Infrastructure Protection for the White House National Security Staff, explained that cyber threats take advantage of the programs of systems we use to manage our infrastructure, and, because of that, such threats are a national security issue. In the case of financial information systems, attackers could be stealing sensitive data, such as customer information. In the case of industrial automation and control systems (IACS), attackers could cause systems to fail or operate in unintended ways resulting in catastrophic damage to people and/or the environment, or the loss of essential services, such as water, gas or electricity.
Reasons for Cybersecurity Practice
Many standards and guidelines for cybersecurity already exist, and in some cases have been in place for many years. Despite this, the number of reported cyber attacks continues to grow year after year. That said, many of these attacks could have been avoided by the application of basic or intermediate security controls, such as:
- Good personnel security, including enforcement of proper access control, strong passwords, and remote access;
- Securing computer equipment and enforcement of policies, such as use of removable media;
- Securing the computer network, including the use of appropriate segregation of equipment and the use of firewalls and other security devices.
While cyber attacks can happen within minutes, they are generally not detected immediately. One of the main goals of the Cybersecurity Framework is to provide companies with clear guidance on the controls to implement so attacks can be either prevented or, at a minimum, detected and resolved in a timely manner.
Volunteer, Incentive-Based Programs
The Cybersecurity Framework highlights some key advantages to encourage early adopters, including:
- Cybersecurity Insurance: There is evidence that suggest companies are being denied insurance because of the lack of good cybersecurity management.1 Lloyd’s of London says it has seen a “huge increase” in demand for coverage from energy firms, but assessments concluded that cybersecurity protections were inadequate. Demonstrating compliance with the Framework will help protect companies who need to file an insurance claim.
- Liability Limitation: U.S. Government agencies are considering legislation to reduce liability on Framework participants in areas such as: reduced tort liability, limited indemnity, higher burdens of proof, or the creation of a federal legal privilege that preempts the need for state disclosure requirements.
- Streamline Regulations: A number of critical infrastructure sectors already have cybersecurity regulations. The U.S. Government’s intention is to use the Framework to help streamline the regulatory burden.
- Public Recognition: As public awareness of cybersecurity continues to grow, it will be beneficial for organizations to demonstrate their application of good cybersecurity practices—in much the same way as it has for quality control, environmental stewardship, and personnel safety.
- Rate Recovery for Price Regulated Industries: There is work underway to consider whether regulatory agencies that set utility rates should allow utilities recovery for cybersecurity investments related to complying with the Framework and participation in the program.
Development of Cybersecurity Framework
Adam Sedgewick, senior policy advisor of the National Institute of Science and Technology (NIST), also spoke at the conference and described the Framework as a set of standards, methodologies, procedures and practices to align policy, business and technological approaches to address cyber risk.
NIST developed the Cybersecurity Framework in an open forum with input from stakeholders in the industry and experts who deal with cybersecurity issues on a daily basis.
“There’s no way to put together a good foundation for cybersecurity methods without working together, and the Cybersecurity Framework was a great example of a successful public/private partnership,” says Moore.
“Cyber risk management is just that, it’s about managing risk,” Moore says. “We’re in a very dynamic environment where the systems we use continue to change and how we use them changes, which means the cyber threats change. It’s not about set-it-and-forget-it and we’re done, it’s a continual process.”
NIST also wanted to create something that wasn’t too labor-intensive for business managers to implement. Sedgewick describes the Cybersecurity Framework as a tiered approach focused on identification, protection, detection, response, and recovery.
An important part in this process for any company is to recognize where you are in your cybersecurity efforts, and where improvements can be made. The framework is designed to open up the minds of those at risk to help them see where there might be a weakness in their infrastructure.
|Industry Under Attack|
ISA’s Involvement with the Framework
A major focus going forward will be on transitioning the management of the Framework to a non-governmental organization. Sedgewick says moving the Framework from a government to a non-government entity, like one of the big standards bodies, will help ensure it is a living document that continues to progress in the future.
Steve Mustard, a team member of the ISA99 Security Standards Committee and Automation Federation’s Government Relations Committee, says conformity of industrial cybersecurity standards is a key goal. “The alignment with other standards is very important so that we’re not producing lots of standards that are very similar, but yet not consistent.”
The International Society of Automation (ISA) is one of those organizations that could help further the development of the Cybersecurity Framework going forward. ISA has a member committee that has been developing cybersecurity standards for IACS since 2007. The committee consists of system operators, owners, and product vendors from sectors where IACS are deployed.
The ISA99 series of standards has now been adopted by the IEC (International Electrotechnical Commission) as IEC62443, the first international standard for IACS cybersecurity management.
“The standard provides a complete reference for managing cybersecurity risk in IACS that are the most extensive element of the critical infrastructure,” says Mustard. “Because of this, IEC62443 is one of the key standards referenced extensively in the Framework.”
Mustard also noted that many IACS were designed years ago when cybersecurity standards were much different than they are today. The level of security in those products is much different from what you would have in a typical IT system today. Whereas a typical IT system may have a technology refresh every 18-36 months, an IACS may be operational for decades with minimal change.
Since the risks of change (due to possible consequences of failure) are generally much greater, and the installed base of equipment can be more widespread, IACS users typically prefer to avoid disturbing the status quo. However, the use of old technology (such as unsupported operating systems with many known vulnerabilities), or equipment that doesn’t have security designed in (such as devices with hard-coded access passwords), presents very real threats that need to be managed in order to avoid potentially catastrophic consequences.
Importance of Training & Education
“Training and education are a key element to success for effective cybersecurity management of the nation’s critical infrastructure,” says Mustard. As noted previously, despite the widespread availability of guidance on good cybersecurity practices, the vast majority of attacks today are preventable by the application of basic or intermediate controls. A key reason for this gap between availability and adoption is a lack of awareness and training.
Mustard says that despite some well-publicized attacks (see sidebar), many industrial organizations have been slow to respond to cyber threats.
The ISA provides an extensive range of training courses that are designed for professionals involved in IT and IACS security roles that need to develop or maintain cybersecurity programs in their organizations. A certificate program has recently been introduced for ISA99/IEC62443 standards, and plans are underway to introduce a course focusing on usage of the Framework.
Future of the Framework
At the same time the Framework was released, NIST also released a Companion Road Map for developmental alignment and collaboration. The road map picks apart the areas where stakeholders said most issues exist. In the future, they will be looking to fix problems, such as authentication, log-in issues, technical privacy standards, and the international side of cyber security.
To download a copy of the Cybersecurity Framework, visit www.nist.gov/cyberframework.
1. “Energy firm cyber-defence is ‘too weak’, insurers say,” BBC, Feb. 26, 2014, www.bbc.com/news/technology-26358042.