The Obama administration’s Cybersecurity Framework announced on February 12 is the product of a year-long collaboration between the US government and industry, coordinated and led by the National Institute of Standards and Technology (NIST).
This work has been focussed on creating approaches to defining and managing risks in Critical Infrastructure Companies in the US. Today’s factories, power facilities and other physical assets are increasingly interconnected, making the framework focussed on the security of today’s enterprises and the infrastructure they depend upon.
Critical national infrastructure (CNI) is often owned or operated by private, often multinational, companies – including banks, telecom and energy companies – while other public sector critical assets include government facilities, emergency services and the National Health Service. The adoption of this framework is voluntary, and comes with it a roadmap for managing IT security risks.
Increasingly, public and private sector organisations are also vetting their supply chains for the highest levels of IT security adherence. So those inside and outside of the CNI working in areas related to critical infrastructure may find it helpful to review the framework. This model may also be useful for organisations that operate internationally, or critical infrastructures that are increasingly connected.
Critical infrastructure in focus
In IBM’s own analysis and data, critical infrastructure industries continue to be targeted based on findings in the most recent IBM Cyber Security Intelligence Index. It shows that industries most dependent on the nation’s infrastructure are among the most targeted by cyber attackers.
The top five industries that reported the most incidents include manufacturing (26.5%), finance and insurance (20.9%), information and communication (18.7%), health and social services (7.3%), retail and wholesale (6.6%).
Through looking at security intelligence, UK organisations can create an understanding of how they are managing cyber risk. Against this landscape, some may find it useful to have some structure as to how to think through baseline and improve security maturity, prioritise security investments and resources, and elements necessary for critical operations and networks.
There are, of course, other approaches and many informative references such as existing international ISO standards, which can also be useful in developing capabilities.
Rather than dictate specific technologies, measures or outcomes, the framework establishes a common language for organisations to evaluate their cybersecurity posture and to identify and prioritise opportunities to improve it.
Because the framework is designed to be adaptable to organisations of different types and sizes, it can be customised to an individual organisation depending on its risk profile, resources and needs.
>See also: The 2014 cyber security roadmap
Looking at the baseline and desired state is often the starting point when reviewing information security: we are even better when we can do that in a context of what do we really care about? What intellectual property or other assets are absolutely critical? Consideration being given to what, if disrupted, would cause huge impact to the organisation and others.
Once those critical areas are identified, measuring your current baseline and setting your desired state of security is the next dimension. This leads to setting the different objectives, practices and procedures required in getting to the desired state. This kind of structured thinking will complement organisations existing risk management processes.
At the same time the threats are growing. There are now more and more devices than ever before – larger amounts of machine-to-machine log data and vast sets of unstructured user data must be harvested for security intelligence. For example, infrastructure such as SCADA is increasingly able to detect anomalous behaviour in real time.
Security intelligence is about knowing what is normal for the organisation, and what should be seen as unusual. Organisations are increasingly building those pictures, creating that intelligence with people, processes and technologies.
Patterns are being developed and applied using approaches such as advanced Security Information and Event Management (SIEM) which enable an organisation to correlate event, anomaly, log and flow data. The organisations that are gaining maturity fastest are often those using sources of actionable insight to build greater protection and risk management.
It is vital to be enabling risk to be managed in a dynamic environment, where, at the same time, cyber incidents are growing whilst we live in an increasingly interconnected world. The new NIST Cybersecurity Framework enables the organisation to set out the current state, desired state and process for identifying and highlighting key capabilities needed. This can then allow security resilience to be built into the organisation, against a defined risk appetite.
Security intelligence-led thinking can also enable the capability of being able to spot, and respond to security incidents in an increasingly challenging cybersecurity landscape.