When the first skyscrapers were built in the 1880s, they had only between 10 and 20 floors. By contrast, modern skyscrapers have more than 100 floors and are thousands of feet tall. Many engineering and technological advances have contributed to the progress of these superstructures, including significant improvements in the design of skyscraper frameworks. Modern skyscrapers are constructed with a framework of reinforced concrete around which the outer walls are draped like curtains. It’s this framework that gives a skyscraper its strength along with the ability to adjust to wind or earthquakes. A solid framework is a critical element for any skyscraper.
Our society continues to increase its reliance on data systems and networks. These technologies support some of the most fundamental activities and services that we rely upon. The very basic and most important of these are referred to as critical infrastructure. Our society’s critical infrastructure includes:
Each of these services relies heavily upon a vast array of technologies. Just like a skyscraper, the information technology systems and networks that support our society’s critical infrastructure require solid frameworks for ensuring their security. If not secured, these systems could be targeted by hackers with potentially devastating consequences.
In March 2016, a group of seven foreign nationals were charged with hacking attacks on a dam in Westchester County, N.Y. The hackers were able to perpetrate the attacks by installing malware on computers around the world, and using those tools remotely to launch the cyber assaults. The Iranian hackers never took control of the dam nor caused any disruptions. They instead examined its operating system to determine its defenses against cyber attack. A follow-up investigation determined that the hackers could have, in theory, caused flooding and created chaos by hacking into the dam’s control system.
Many of the industry groups and regulatory bodies that oversee the services that provide our critical infrastructure have adopted IT security frameworks to help protect and guard their underlying systems and networks. Most noticeably, in February 2014, the National Institute of Standards and Technology (NIST) released the first version of their Framework for Improving Critical Infrastructure Cybersecurity. Key to the framework’s approach is a Framework Core that provides a process-oriented set of functions for managing cybersecurity risks. An organization that adopts the NIST Cybersecurity Framework is provided standards and expectations that can be performed concurrently or continuously for promote a culture where cybersecurity is part of the organization’s culture. These Framework Core Functions consist of the following:
Many organizations, including federal, state, and local governments, as well as publicly and privately held companies, have adopted this framework and begun the systematic and strategic approach to managing their cybersecurity risks. The ultimate purpose for adopting a framework is not to enforce an arbitrary set of rules and standards upon an organization. When it comes to cybersecurity, the goal for any entity should be to implement a set of guidelines that ensures the complete breadth of cybersecurity risks have been addressed. A framework, like the NIST Cybersecurity Framework, provides an organization with the strength and agility to sustain the inevitable cyber winds and earthquakes. Like the frameworks that support skyscrapers, adoption of a cybersecurity framework is critical for the success of any organization.