Critical infrastructure owners are ultimately responsible for addressing their cybersecurity needs. However, as we have described, there are several other stakeholders involved with efforts to enhance cybersecurity. For some infrastructure sectors, sector coordinators—individuals or organizations—perform a collective role in helping the entities within their sector to improve cybersecurity. In addition, federal, state, and local governments have a stake in ensuring that the interests of national security and the public good are addressed, and they have a variety of policy tools that can be used to influence how the nation’s critical infrastructures are protected, including regulations, grants, and
partnerships. In some cases, the federal government plays an important role in the operations of a critical infrastructure sector. For example, the Federal Aviation Administration’s (FAA) air traffic control system is essential to the operations of the aviation transportation sector. IT manufacturers, including cybersecurity technology companies, develop and market the tools used by critical infrastructure owners to conduct their business and protect their information technology infrastructure from security risks. All of these parties face various challenges in
addressing the nation’s cybersecurity needs. Such challenges range from identifying cybersecurity problems within an organization to creating business cases so that specific cybersecurity technologies can be deployed in or developed for it. Many of these challenges are common to all types of critical infrastructures while some challenges are unique to specific sectors. Concomitant with the challenges, there are opportunities for action by the federal government, critical infrastructure sectors, individual entities that own critical infrastructures, and technology manufacturers.
This chapter focuses on two major categories of potential actions for improving cybersecurity for CIP. First, the implementation of available cybersecurity technologies and processes could help address critical infrastructure owners’ immediate cybersecurity needs. We present cybersecurity challenges that are faced by critical infrastructure owners and suggest approaches and actions that are available to help meet those challenges, including the use of cybersecurity technology.
Second, we discuss policy options available to the federal government that can make more cybersecurity technologies available and encourage their use by infrastructure owners. Several activities have already been
undertaken by the federal government and by critical infrastructure sectors to improve critical infrastructure protection. To determine whether to continue or expand current programs or to develop new cybersecurity programs, it would be useful to examine the effectiveness of these current activities and assess whether further investment is required.
Chapter 4: Cybersecurity Implementation
Issues
Chapter 4: Cybersecurity Implementation Issues
Further, an important common thread in all the opportunities for actions is the certainty of consequences—both intended and unintended—of any policy action. Before proposing or implementing any policy action, the federal government needs to consider these potential consequences, as well as the costs and benefits of the action.
A basic challenge facing critical infrastructure owners is that they have to address many different issues that affect their operations. Security issues, both physical and cyber, are only one element of what affects an entity’s operations. Management’s primary concern is the day-to-day operation, the investments needed for the future, and stakeholder, stockholder or owner satisfaction with its performance. An overall security framework can help an entity properly evaluate the importance of cybersecurity problems within the context of its operations. Security best practices recommend that a risk assessment methodology be used to make informed security investment decisions. If an entity has not conducted a risk
assessment, it cannot know the extent of its cybersecurity problem. Even when it knows the extent of cybersecurity needs, it cannot protect everything. Further, an entity often needs a business case to invest in cybersecurity.
On the basis of the results of a risk assessment, infrastructure owners can implement available cybersecurity technologies to mitigate identified risks. There are several categories of cybersecurity technologies available that could be used to better secure critical infrastructure systems.
However, infrastructure owners also need to bear in mind the limitations of these technologies, as well as the interactions of the technologies with the security processes and the people using the technologies.
It is important to think of cybersecurity in an overall framework (see figure 4) that includes the following processes: (1) determining the business requirements for security; (2) performing risk assessments; (3) establishing a security policy; (4) implementing a cybersecurity solution that includes people, process, and technology to mitigate identified security risks; and (5) monitoring and managing security continuously.
A Risk-Based
Framework for
Infrastructure Owners
to Implement
Cybersecurity
Technologies
Using an Overall
Framework for
Cybersecurity
Chapter 4: Cybersecurity Implementation Issues
Figure 4: An Overall Framework for Security
A cybersecurity framework starts with the development of a security policy based on business requirements and a risk analysis. The business requirements identify the needs of the enterprise, including cybersecurity requirements—the computer resources and information that have to be protected, including any requirements imposed by applicable laws, such as HIPAA, FISMA, and requirements to protect the privacy of some types of data. Some risks are external to the entity conducting the risk assessment and involve considerations beyond the risks that are within the entity’s control.
On the basis of the risk analysis and the business requirements for cybersecurity, an entity can develop its security policy. Such a security policy typically addresses high-level objectives such as ensuring the confidentiality, integrity, and availability of data and systems. As we previously described, we found that sector entities generally share these basic cybersecurity objectives for their systems and networks, but they vary in the relative importance they place on these objectives based on the operational area or function involved.
Business requirements Risk
assessment
Security management:
protect, detect, react
Security policy People Process Technology Security objectives • confidentiality • integrity • availability
Chapter 4: Cybersecurity Implementation Issues
These security objectives are achieved by implementing cybersecurity solutions that make use of people, process, and technology. Because of the variation in cybersecurity objectives among critical infrastructure sectors, while the types of IT and cybersecurity technologies are the same across all sector entities, the details of implementation and the level of their use differ from one sector to another. In addition to implementing security solutions, entities need security management that continuously protects against, detects, and reacts to any security incidents. The combination of risk analysis, security policy, security solutions, and security management provides the overall cybersecurity framework and represents a continuous process. Such an overall security framework can help an entity to establish a common level of understanding of its
cybersecurity posture and a common basis for the design and implementation of cybersecurity solutions in it.
Risk analysis or risk assessment is a key component within the overall framework for cybersecurity. The approach to good security is
fundamentally similar, regardless of the assets being protected. As we have previously reported, applying risk management principles can provide a sound foundation for effective security whether the assets are information, operations, people, or federal facilities.1
A risk management methodology can provide the basic information that is required to make decisions on how to protect an entity’s information systems. As seen in figure 5, these principles can be reduced to five basic steps that help to determine responses to five essential questions:
1
U.S. General Accounting Office, National Preparedness: Technologies to Secure Federal
Buildings, GAO-02-687T (Washington, D.C.: Apr. 25, 2002).