Insights: Article

Security Frameworks

The Key to Securing our Critical Infrastructure

By Anders Erickson

September 27, 2017

When the first skyscrapers were built in the 1880s, they had only between 10 and 20 floors. By contrast, modern skyscrapers have more than 100 floors and are thousands of feet tall. Many engineering and technological advances have contributed to the progress of these superstructures, including significant improvements in the design of skyscraper frameworks. Modern skyscrapers are constructed with a framework of reinforced concrete around which the outer walls are draped like curtains. It’s this framework that gives a skyscraper its strength along with the ability to adjust to wind or earthquakes. A solid framework is a critical element for any skyscraper. 

Our society continues to increase its reliance on data systems and networks. These technologies support some of the most fundamental activities and services that we rely upon. The very basic and most important of these are referred to as critical infrastructure. Our society’s critical infrastructure includes:

  • electricity generation, transmission and distribution
  • gas production, transport and distribution
  • oil and oil products production, transport and distribution
  • telecommunication
  • water supply (drinking water, waste water/sewage, etc)
  • agriculture, food production and distribution
  • heating (e.g. natural gas, fuel oil, district heating)
  • public health (hospitals, ambulances)
  • transportation systems (fuel supply, railway network, airports, harbours, inland shipping)
  • financial services (banking, clearing)
  • security services (police, military)

Each of these services relies heavily upon a vast array of technologies. Just like a skyscraper, the information technology systems and networks that support our society’s critical infrastructure require solid frameworks for ensuring their security. If not secured, these systems could be targeted by hackers with potentially devastating consequences.

In March 2016, a group of seven foreign nationals were charged with hacking attacks on a dam in Westchester County, N.Y. The hackers were able to perpetrate the attacks by installing malware on computers around the world, and using those tools remotely to launch the cyber assaults. The Iranian hackers never took control of the dam nor caused any disruptions. They instead examined its operating system to determine its defenses against cyber attack. A follow-up investigation determined that the hackers could have, in theory, caused flooding and created chaos by hacking into the dam’s control system.

Many of the industry groups and regulatory bodies that oversee the services that provide our critical infrastructure have adopted IT security frameworks to help protect and guard their underlying systems and networks. Most noticeably, in February 2014, the National Institute of Standards and Technology (NIST) released the first version of their Framework for Improving Critical Infrastructure Cybersecurity. Key to the framework’s approach is a Framework Core that provides a process-oriented set of functions for managing cybersecurity risks.  An organization that adopts the NIST Cybersecurity Framework is provided standards and expectations that can be performed concurrently or continuously for promote a culture where cybersecurity is part of the organization’s culture.  These Framework Core Functions consist of the following:

  • Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data and capabilities.
  • Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
  • Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
  • Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.
  • Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.

Many organizations, including federal, state, and local governments, as well as publicly and privately held companies, have adopted this framework and begun the systematic and strategic approach to managing their cybersecurity risks.  The ultimate purpose for adopting a framework is not to enforce an arbitrary set of rules and standards upon an organization.  When it comes to cybersecurity, the goal for any entity should be to implement a set of guidelines that ensures the complete breadth of cybersecurity risks have been addressed.  A framework, like the NIST Cybersecurity Framework, provides an organization with the strength and agility to sustain the inevitable cyber winds and earthquakes.  Like the frameworks that support skyscrapers, adoption of a cybersecurity framework is critical for the success of any organization.

Latest Insights

December 17, 2018
Article
The Tax Cuts and Jobs Act has changed the way tax is calculated for organizations providing Qualified Transportation Fringe Benefits, and organizations are seeking further clarification.
December 13, 2018
Article
Recent changes to the documentation requirements and payment structure for E/M codes are causing quite the stir amongst providers and patient advocacy groups.
December 12, 2018
Video
Learn more about the most common taxes encountered by businesses including income, franchise, gross receipts, sales and use taxes. Knowing when your business has established nexus is important and can help keep you in compliance and minimize your…
December 12, 2018
Article
A focus on simplicity in transfer pricing is much easier, accurate, and supportable than the alternative. Review a recent case to learn more about how it works.
December 11, 2018
Article
Long-term employees sometimes don’t offer the security you think they do.
December 11, 2018
Video
This video outlines key considerations for businesses as they work to comply with the new sales and use tax rules.
December 10, 2018
Article
For most of November, the stock market was plagued by the same skepticism evident in October: the sense that corporate profits were declining and economic growth was slowing.
December 7, 2018
Article
Just what is “comprehensive wealth planning?” As you invest and save for retirement, you will no doubt hear or read about it – but what does that phrase really mean? Just what does comprehensive wealth planning entail, and why do knowledgeable…
December 6, 2018
Article
Paying off a major debt produces a sense of relief. You can celebrate a financial milestone; you can “pay yourself first” to greater degree and direct more money toward your dreams and your financial future rather than your creditors.