WHAT INSPIRES YOU, INSPIRES US.
Insights : Article

Security Frameworks – The Key to Securing our Critical Infrastructure

By   Anders Erickson

September 27, 2017

When the first skyscrapers were built in the 1880s, they had only between 10 and 20 floors. By contrast, modern skyscrapers have more than 100 floors and are thousands of feet tall. Many engineering and technological advances have contributed to the progress of these superstructures, including significant improvements in the design of skyscraper frameworks. Modern skyscrapers are constructed with a framework of reinforced concrete around which the outer walls are draped like curtains. It’s this framework that gives a skyscraper its strength along with the ability to adjust to wind or earthquakes. A solid framework is a critical element for any skyscraper. 

Our society continues to increase its reliance on data systems and networks. These technologies support some of the most fundamental activities and services that we rely upon. The very basic and most important of these are referred to as critical infrastructure. Our society’s critical infrastructure includes:

  • electricity generation, transmission and distribution
  • gas production, transport and distribution
  • oil and oil products production, transport and distribution
  • telecommunication
  • water supply (drinking water, waste water/sewage, etc)
  • agriculture, food production and distribution
  • heating (e.g. natural gas, fuel oil, district heating)
  • public health (hospitals, ambulances)
  • transportation systems (fuel supply, railway network, airports, harbours, inland shipping)
  • financial services (banking, clearing)
  • security services (police, military)

Each of these services relies heavily upon a vast array of technologies. Just like a skyscraper, the information technology systems and networks that support our society’s critical infrastructure require solid frameworks for ensuring their security. If not secured, these systems could be targeted by hackers with potentially devastating consequences.

In March 2016, a group of seven foreign nationals were charged with hacking attacks on a dam in Westchester County, N.Y. The hackers were able to perpetrate the attacks by installing malware on computers around the world, and using those tools remotely to launch the cyber assaults. The Iranian hackers never took control of the dam nor caused any disruptions. They instead examined its operating system to determine its defenses against cyber attack. A follow-up investigation determined that the hackers could have, in theory, caused flooding and created chaos by hacking into the dam’s control system.

Many of the industry groups and regulatory bodies that oversee the services that provide our critical infrastructure have adopted IT security frameworks to help protect and guard their underlying systems and networks. Most noticeably, in February 2014, the National Institute of Standards and Technology (NIST) released the first version of their Framework for Improving Critical Infrastructure Cybersecurity. Key to the framework’s approach is a Framework Core that provides a process-oriented set of functions for managing cyber security risks.  An organization that adopts the NIST Cybersecurity Framework is provided standards and expectations that can be performed concurrently or continuously for promote a culture where cyber security is part of the organization’s culture.  These Framework Core Functions consist of the following:

  • Identify – Develop the organizational understanding to manage cyber security risk to systems, assets, data and capabilities.
  • Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
  • Detect – Develop and implement the appropriate activities to identify the occurrence of a cyber security event.
  • Respond – Develop and implement the appropriate activities to take action regarding a detected cyber security event.
  • Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cyber security event.

Many organizations, including federal, state, and local governments, as well as publicly and privately held companies, have adopted this framework and begun the systematic and strategic approach to managing their cyber security risks.  The ultimate purpose for adopting a framework is not to enforce an arbitrary set of rules and standards upon an organization.  When it comes to cyber security, the goal for any entity should be to implement a set of guidelines that ensures the complete breadth of cyber security risks have been addressed.  A framework, like the NIST Cybersecurity Framework, provides an organization with the strength and agility to sustain the inevitable cyber winds and earthquakes.  Like the frameworks that support skyscrapers, adoption of a cyber security framework is critical for the success of any organization.