Disrupting Critical Infrastructure: A Potential New Form of Warfare
It’s National Cyber Security Awareness Month, and the theme for the final week is “Building Resilience in Critical Infrastructure.” So why is this a focus for the National Cyber Security Alliance?
Well initially, cyber threats were focused on profitable data breaches with an attainable payload (e.g., credit card information, industry secrets, etc.). But now, nation states and hacktivist groups are focusing on accessing and disrupting critical infrastructure in the United States.
Threat actors are evolving—and they are attempting to hack into critical infrastructure as a potential new form of warfare. The U.S. government recognized this threat a few years ago—and in response to the changing landscape, President Obama issued Executive Order 13636.
Executive Order 13636: Improving Critical Infrastructure Cybersecurity
How do we define “critical infrastructure”? Often people think of it as the power in our energy grid or telecommunications. However, in Executive Order 13636, the White House puts forth a much broader definition:
“Systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”
Established in 2013, this executive order was issued as a response to continued cyber intrusions to critical infrastructure in the United States in an effort to combat this serious challenge to national security.
The order called on the National Institute of Standards and Technology (NIST) to lead the development of a framework to reduce cyber risk to critical infrastructure.
NIST Cybersecurity Framework
From Executive Order 13636, NIST rolled out their Framework for Improving Critical Infrastructure Cybersecurity in 2014 to establish a defense mechanism for critical infrastructure in the United States.
NIST CSF guides critical infrastructure agencies in documenting and implementing controls for information technology systems that support their operations and assets. These guidelines cover many areas surrounding access control, audit and accountability, incident response, and system and information integrity.
The NIST CSF creates an umbrella for critical infrastructure industries to use as a guide to adapt their own compliance mandates (think of it as a trickle-down effect). However, as stated above, NIST CSF is just that—guidelines. They are not mandatory. Each agency is responsible for implementing the minimum security requirements as outlined by NIST.
Is the NIST Cybersecurity Framework Enough?
For NIST CSF to be successful in protecting our nation’s critical infrastructure, industries need to interpret and apply the guidelines to their systems and areas of critical infrastructure. Some industries have done this already (e.g., NERC CIP and NRC RG 5.71).
To be successful, NIST CSF needs to adapt. Since the first iteration was released in 2014, a lot has changed in that period of time. So NIST holds forums where they can receive feedback on items that need to be further defined or clarified within the guidelines.
However, despite of the evolution of the guidelines, because they are voluntary, success for the protection of national critical infrastructure will depend on industries’ ability to own and apply them.
The Evolution of the Defense of Critical Infrastructure Cybersecurity
Moving forward, it will be very interesting to see if the NIST CSF guidelines are fully supported and backed by litigation and fines for non-compliance. Much of this will ride on the upcoming election.
If critical infrastructure cybersecurity is not backed by our next president, progress towards defending our critical infrastructure will certainly slow.