Critical infrastructure cyber security is about senior level support, diligence and planning

Published: Thursday, 10 August 2017 08:50

Dr. Jim Kennedy looks at how to develop an operational resilience and cyber security framework for critical infrastructure protection.

It has always been the policy of the United States to ensure the continuity and security of the critical infrastructures that are essential to the minimum operations of our economy and government. This critical infrastructure includes essential government services, public health, law enforcement, emergency services, information and communications, banking and finance, energy, transportation, and water supply.

So even before the events of 9/11, the Executive Branch of our government, the President through Presidential Decision Directive 63 (PDD 63) issued May 22, 1998, ordered the strengthening of the nation's defenses against emerging unconventional threats to the United States, including those involving terrorist acts, weapons of mass destruction, assaults on critical infrastructures, and cyber-based attacks.

Initially, critical infrastructure security and assurance was essentially a state and local concern. With the massive use of interconnected information technologies and their significant interdependencies it has become a national concern, with major implications for the defense of the homeland and the economic security of the United States.

However, given all of the focus on critical infrastructure many of these critical infrastructure operations goes without cyber security awareness training for their workforce, no cyber security vetting of their third party suppliers, or a business continuity or continuity of operations plan that has been tested as ‘fit for purpose.’

In 2006 the Federal Energy Regulatory Commission (FERC) selected the North American Electric Reliability Council (NERC) as the Electric Reliability Organization (ERO) and standard setting body in the US for electric utilities. Cyber security and continuity of operations plans in this segment of the critical infrastructure is a work in progress at best and this is typical across the entire energy sector (e.g. transmission, generation, oil and gas distribution and etc.). Cyber and physical security at nuclear and conventional power plants are minimal at best.

In the financial sector many institutions, despite regular audits and increased governmental regulations, still do not have adequate cyber security or continuity plans in place and those that do exist are marginal; this can be seen in the continued rise of security breaches published every day in the press and even more that go unreported.

Although the deadline for HIPAA compliance has officially passed, a significant percentage of covered health care organizations still have not achieved basic HIPAA Security compliance, according to a recent industry survey. They lack cyber breach action or emergency operations plans and even in some cases lack proper risk assessments and/or disaster recovery plans for patient care systems, which provide critical contain patient healthcare information. This, coupled with the increasing use of network connected patient infusion pumps, cardiac pace makers and other therapeutic, life saving treatments, should cause much concern about the security of their use.

So even though there are laws and regulations and a very clear focus on the cyber security protection and resilience of critical infrastructure operations it has not seemed to translate into practice for the actual critical infrastructure operations across the US.

Critical infrastructure protection is all about operational resilience and cyber security. In the GAO’s ‘Critical Infrastructure Protection – Significant Challenges in Safeguarding Government and Privately Controlled Systems from Computer-Based Attacks’ the report refers to service continuity controls as: “controls that ensure that when unexpected events occur, critical operations will continue without undue interruption and that crucial, sensitive data are protected.” The report goes on to say that: “Service continuity controls should address the entire range of potential disruptions including relatively minor interruptions, such as temporary power failures or accidental loss or erasure of files, as well as major disasters, such as fires or natural disasters, (and cyber hacking and intrusions should be added) that would require reestablishing operations at a remote location.”

So how is this to be accomplished? The most effective way is for the development of a thorough and comprehensive risk assessment coupled with cyber security controls, a rapid cyber breach action plan, and a business continuity or business resiliency management program. That program can be based on the NIPP Risk Management Framework, which consists of:

I have attempted to outline below a process to aid critical infrastructure operations, utilizing the above CIPP Risk Management Framework coupled with an effective governance model, in addressing cyber security, business continuity and resiliency needs.

First a certified and experienced cyber/critical infrastructure security analyst needs to be selected and must obtain senior management agreement and sponsorship for the program to be developed. With this sponsorship adequate budgets and manpower can be allocated for the project.

Second, the analyst must solicit the aid from multiple areas of the operation or business. This can be accomplished by establishing a Cyber Security and Business Resiliency Steering Committee. This committee will be comprised of middle management from across the operation (e.g. technical, operational, financial, HR and etc.). The function of this committee is to establish the direction and approve the program, identify tools to be used, establish metrics, and report to senior management on progress.

Next, if the amount of work to be done is substantial or if the cyber security and operational resiliency program is starting from scratch, is the development of a Critical Infrastructure Program Office. This may be comprised of one or more individuals who are responsible (using project management disciplines) for ensuring that the planning and mitigation tasks are implemented consistently throughout the organization. They must also track and report on progress.

With the governance in place, the CIPP framework can be implemented and work can begin to implement it within the organization. The steering committee will work with senior management to establish the direction and communicating the goals within the organization.

Identifying the critical assets is the next step. Work to develop a clear picture of what components (people, process, and/or technology) of the operation are critical to it carrying out its mission and to identify how long it could possibly do without or work-around those components if they are to become unavailable.

Next step in the CIPP Risk Management Framework is the assessment of risk. This equates to the cyber/critical infrastructure security analyst's risk assessment. The risk assessment is the process of identifying the risks to an organization, assessing the critical functions necessary for an organization to continue critical operations, defining the controls in place to reduce organization exposure and evaluating the cost for such controls. Risk analysis often involves an evaluation of the probabilities of a particular event.

Once the risk assessment is complete it will be necessary to move to the next step in the CIPP Framework, that of prioritizing the risks and developing mitigation strategies based on the operations risk appetite. Here is where the organization determines how to address the risk. Mitigate it, pass it on to another entity (insurance) or simply ignore it.

Whatever makes the best business sense is then translated into a protective plan which is then implemented under the direction of the program office. At this point in time, when the mitigation strategies are identified and are being implemented, the cyber/critical infrastructure protection plan can be developed.

Again cyber/critical infrastructure subject matter experts are best utilized to accomplish this task as they have developed plans for similar business operations. Once the mitigation efforts are in place and the plans completed awareness training for the entire staff is appropriate.

Lastly, before starting the whole effort over again, is measuring effectiveness. Is the plan and are the mitigation strategies ‘fit for purpose?’ Does the plan adequately protect the operation from adverse events and security breaches? If not, then the plan and mitigation efforts will have to be reviewed and modified as appropriate.

What has been accomplished is the beginning of a continuing effort to maintain the operation of the critical infrastructure. It has no end. It needs to be reviewed for every change to the operation.

I have been fortunate to help many critical infrastructure organizations build cyber security and operational resiliency into their operations. It is not easy but, as US Presidents past and present indicate, it is of the utmost importance to make sure that the United State’s critical infrastructure is adequately protected as its citizens rely upon it every day for their safety, protection, and wellbeing. It is difficult but as has been said: the beginning of any important journey starts with a single step.

The author

Dr. Jim Kennedy, MCTE, MRP, CEH, CHS-IV, SSIC is the chief consulting officer of Cyber/Critical Infrastructure Security Services for Security_Solutions. Dr. Kennedy has over 35 years' experience in the information security, business continuity and disaster recovery fields. He is the co-author of three books, ‘Security in a Web 2.0+ World, A Standards Based Approach’, ‘Blackbook of Corporate Security’ and ‘Disaster Recovery Planning: An Introduction’ and author of an e-book, ‘Business Continuity & Disaster Recovery – Conquering the Catastrophic’. Contact: