Insights: Article

Security Frameworks

The Key to Securing our Critical Infrastructure

By   Anders Erickson

September 27, 2017

When the first skyscrapers were built in the 1880s, they had only between 10 and 20 floors. By contrast, modern skyscrapers have more than 100 floors and are thousands of feet tall. Many engineering and technological advances have contributed to the progress of these superstructures, including significant improvements in the design of skyscraper frameworks. Modern skyscrapers are constructed with a framework of reinforced concrete around which the outer walls are draped like curtains. It’s this framework that gives a skyscraper its strength along with the ability to adjust to wind or earthquakes. A solid framework is a critical element for any skyscraper. 

Our society continues to increase its reliance on data systems and networks. These technologies support some of the most fundamental activities and services that we rely upon. The very basic and most important of these are referred to as critical infrastructure. Our society’s critical infrastructure includes:

  • electricity generation, transmission and distribution
  • gas production, transport and distribution
  • oil and oil products production, transport and distribution
  • telecommunication
  • water supply (drinking water, waste water/sewage, etc)
  • agriculture, food production and distribution
  • heating (e.g. natural gas, fuel oil, district heating)
  • public health (hospitals, ambulances)
  • transportation systems (fuel supply, railway network, airports, harbours, inland shipping)
  • financial services (banking, clearing)
  • security services (police, military)

Each of these services relies heavily upon a vast array of technologies. Just like a skyscraper, the information technology systems and networks that support our society’s critical infrastructure require solid frameworks for ensuring their security. If not secured, these systems could be targeted by hackers with potentially devastating consequences.

In March 2016, a group of seven foreign nationals were charged with hacking attacks on a dam in Westchester County, N.Y. The hackers were able to perpetrate the attacks by installing malware on computers around the world, and using those tools remotely to launch the cyber assaults. The Iranian hackers never took control of the dam nor caused any disruptions. They instead examined its operating system to determine its defenses against cyber attack. A follow-up investigation determined that the hackers could have, in theory, caused flooding and created chaos by hacking into the dam’s control system.

Many of the industry groups and regulatory bodies that oversee the services that provide our critical infrastructure have adopted IT security frameworks to help protect and guard their underlying systems and networks. Most noticeably, in February 2014, the National Institute of Standards and Technology (NIST) released the first version of their Framework for Improving Critical Infrastructure Cybersecurity. Key to the framework’s approach is a Framework Core that provides a process-oriented set of functions for managing cybersecurity risks.  An organization that adopts the NIST Cybersecurity Framework is provided standards and expectations that can be performed concurrently or continuously for promote a culture where cybersecurity is part of the organization’s culture.  These Framework Core Functions consist of the following:

  • Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data and capabilities.
  • Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
  • Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
  • Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.
  • Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.

Many organizations, including federal, state, and local governments, as well as publicly and privately held companies, have adopted this framework and begun the systematic and strategic approach to managing their cybersecurity risks.  The ultimate purpose for adopting a framework is not to enforce an arbitrary set of rules and standards upon an organization.  When it comes to cybersecurity, the goal for any entity should be to implement a set of guidelines that ensures the complete breadth of cybersecurity risks have been addressed.  A framework, like the NIST Cybersecurity Framework, provides an organization with the strength and agility to sustain the inevitable cyber winds and earthquakes.  Like the frameworks that support skyscrapers, adoption of a cybersecurity framework is critical for the success of any organization.

Latest Insights

June 20, 2018
Article
While cash management can be easy, there are a few key details that some organizations need to remember to avoid findings that could have otherwise been easily prevented.
June 15, 2018
Recorded Webinar
Congress has passed the largest and most comprehensive tax reform legislation in the past 30 years and businesses and dealerships are trying to figure out the tax implications and what this means for them in their current situation and moving forward.
June 15, 2018
Video
Learn more about the basics of cost segregation and whether your recent building purchase, renovation or new construction could reduce your taxes and increase cash flow.
June 14, 2018
Article
It is not to say that well run companies do not get breached, but all indicators lead to the conclusion that if certain things are done from the top down, the effects and cost of defending your company against data breaches, and recovering from a breach…
June 14, 2018
Article
All deals are unique in the world of transactions but unique does not have to equate to surprises on either side.
June 12, 2018
Article
As taxpayers work closely with their tax advisers to develop tax projections and planning strategies, state income taxes take on greater importance than in the past - in addition, some states’ legislatures will not be taking up the issue of federal…