Insights: Article

Security Frameworks

The Key to Securing our Critical Infrastructure

By   Anders Erickson

September 27, 2017

When the first skyscrapers were built in the 1880s, they had only between 10 and 20 floors. By contrast, modern skyscrapers have more than 100 floors and are thousands of feet tall. Many engineering and technological advances have contributed to the progress of these superstructures, including significant improvements in the design of skyscraper frameworks. Modern skyscrapers are constructed with a framework of reinforced concrete around which the outer walls are draped like curtains. It’s this framework that gives a skyscraper its strength along with the ability to adjust to wind or earthquakes. A solid framework is a critical element for any skyscraper. 

Our society continues to increase its reliance on data systems and networks. These technologies support some of the most fundamental activities and services that we rely upon. The very basic and most important of these are referred to as critical infrastructure. Our society’s critical infrastructure includes:

  • electricity generation, transmission and distribution
  • gas production, transport and distribution
  • oil and oil products production, transport and distribution
  • telecommunication
  • water supply (drinking water, waste water/sewage, etc)
  • agriculture, food production and distribution
  • heating (e.g. natural gas, fuel oil, district heating)
  • public health (hospitals, ambulances)
  • transportation systems (fuel supply, railway network, airports, harbours, inland shipping)
  • financial services (banking, clearing)
  • security services (police, military)

Each of these services relies heavily upon a vast array of technologies. Just like a skyscraper, the information technology systems and networks that support our society’s critical infrastructure require solid frameworks for ensuring their security. If not secured, these systems could be targeted by hackers with potentially devastating consequences.

In March 2016, a group of seven foreign nationals were charged with hacking attacks on a dam in Westchester County, N.Y. The hackers were able to perpetrate the attacks by installing malware on computers around the world, and using those tools remotely to launch the cyber assaults. The Iranian hackers never took control of the dam nor caused any disruptions. They instead examined its operating system to determine its defenses against cyber attack. A follow-up investigation determined that the hackers could have, in theory, caused flooding and created chaos by hacking into the dam’s control system.

Many of the industry groups and regulatory bodies that oversee the services that provide our critical infrastructure have adopted IT security frameworks to help protect and guard their underlying systems and networks. Most noticeably, in February 2014, the National Institute of Standards and Technology (NIST) released the first version of their Framework for Improving Critical Infrastructure Cybersecurity. Key to the framework’s approach is a Framework Core that provides a process-oriented set of functions for managing cybersecurity risks.  An organization that adopts the NIST Cybersecurity Framework is provided standards and expectations that can be performed concurrently or continuously for promote a culture where cybersecurity is part of the organization’s culture.  These Framework Core Functions consist of the following:

  • Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data and capabilities.
  • Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
  • Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
  • Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.
  • Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.

Many organizations, including federal, state, and local governments, as well as publicly and privately held companies, have adopted this framework and begun the systematic and strategic approach to managing their cybersecurity risks.  The ultimate purpose for adopting a framework is not to enforce an arbitrary set of rules and standards upon an organization.  When it comes to cybersecurity, the goal for any entity should be to implement a set of guidelines that ensures the complete breadth of cybersecurity risks have been addressed.  A framework, like the NIST Cybersecurity Framework, provides an organization with the strength and agility to sustain the inevitable cyber winds and earthquakes.  Like the frameworks that support skyscrapers, adoption of a cybersecurity framework is critical for the success of any organization.

Latest Insights

August 16, 2018
Article
The recent US Supreme Court decision that overturned Quill in the South Dakota v Wayfair case has many states making or considering law changes related to sales tax compliance for out-of-state sellers.
August 16, 2018
Article
What's a SNF PPS Rate? The Prospective Payment System (PPS) for Skilled Nursing Facilities (SNFs) was created by the Balanced Budget Act of 1997.
August 15, 2018
Article
In this Insight, we will outline the key provisions of the proposed Section 199A regulations and highlight considerations and concerns.
August 14, 2018
Article
With the implementation of ASU 2016-02, “Leases,” looming on the horizon, FASB recently issued ASU 2018-11 to respond to criticisms of unnecessary cost or complexity in the original standard.
August 14, 2018
Article
When someone is allowed to manipulate the procedures and/or their job duties in an organization, the organization opens itself up to the possibility of employee misconduct or fraud.
August 14, 2018
Recorded Webinar
Service firms that handle client information have particular responsibilities to protect that information—protection that can be strengthened if the firm’s clients are protected as well.
August 13, 2018
Article
In this time of constant change and business disruptions, the cost of a breakdown in even one internal control in a high-risk area has the potential to be quite significant.
August 7, 2018
Article
As the largest tax reform legislation in the past 30 years becomes reality, it is important to stay up-to-date on planning opportunities and how reform may impact you and your business.
August 7, 2018
Article
While each business owner chases success in his or her own unique way, there are some things nearly all owners have in common.