Data in Cisco Systems 2014 Annual Security Report (PDF), shows the number of threat alerts has increased by about 14% year-over-year, since 2010. Cisco goes on to say DDoS attacks in 2014 are not only rising in number and length, but they’re also being used to mask other cyber activity such as fraud.
Critical Infrastructure includes services and systems essential to our nation and society. Attacks can affect things like energy oil and agriculture. These assets include things like the electrical grid, water and sewer systems. They can even cause delays and problems in transportation.
Disruption of these services can drastically alter life.
One example of how of an infrastructure failure was the blackout on Thursday, September 8, 2011, It affected large areas of Southern California as well as western Arizona and northern Baja California and Sonora.
The NIST Framework Itself Is Not The Answer
The fact remains that the Framework is still in its baseline form. The miles of process implementation jargon have yet to be written. And it’s not mandatory for private business.
Still, companies are reviewing it to understand how they might benefit should a large-scale cyber security event happen.
The Task of Combining Resources
Given the random nature of a cyber attack, it makes sense that the public and private sectors join forces. However beneficial that task may be in, it’s not without problems.
When you bring together a large group, you’re going to encounter different levels of sophistication. Translation: the cyber strength of one doesn’t necessarily hold true for another.
The government—federal, state, and local—changes slowly. Because the framework is a direct result of President Obama’s Executive Order dated February 12, 2013, it carries unusual weight. It’s a mandate.
The order aims to put in place a disciplinary structure for meaningful activity, preemptive security clearances, and a chain of communication for public and private entities. It also connects public and private pieces of our nation’s critical infrastructure.
Big business for the most part, has already developed security strategies far beyond what the NIST framework offers. They’ve got the money. They’re serious about protecting assets. Make no mistake about it innovations and breakthroughs originate here.
When you have money, you can farm out projects and problems to specialized think tanks. Some of these companies come to mind:
- Palo Alto Group and Rick Howard
- The Center for Strategic & International Studies and Steward Baker
There are others.
Big companies can also afford to bring big-thinkers onboard to work in-house, such as AT&T and their CIO, Dr. Ed Amoroso.
These are the people who are reshaping paradigms of the Internet.
Small and mid sized companies often rely on out of box solutions to protect their virtual assets. Being so reliant upon the diligence of others has its downside. The April 8th, end of security support for Windows XP provides a timely illustration.
Although 70 percent of vulnerabilities were patched in 2013, people can’t quite ignore the remaining 30 percent—especially when they have other things to do with their time like run a business.
By understanding and following the NIST Framework, smaller entities will be able to identify areas where they need to budget for security.
Uniformity of Action
The NIST Cybersecurity Framework in its current state is only a first step. It acts as a naming convention. That said, deploying public and private resources to guard our critical infrastructures requires use of a common language. And the NIST Framework is a great starting point.
It offers a standards document that will enable people to engage in various parts of the five core functions to communicate clearly.
The Five Functions within the NIST framework:
- IDENTIFY – Develop organizational understanding to manage cybersecurity risk to systems, assets, data and capabilities.
- PROTECT – Develop and implement the appropriate safeguards to delivery of critical infrastructure services.
- DETECT – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
- RESPOND – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.
- RESTORE – Develop and implement the appropriate activities to maintain plans for resilience from a cybersecurity event.
As an example, the Detect function of the NIST framework involves detecting anomalies and events, continuous monitoring of security processes and maintaining stringent detection processes. How a company measures anomalies and events allows a higher degree of accuracy when neutralizing these vulnerabilities.
By working within functions and categories, timely sharing of key information, as well as preauthorized clearances, will allow public and private sectors to combine efforts and resolve problems faster when the big one happens.