Here is my question for each of us to ponder – with respect to our public and private lives alike. Have we contemplated the parameters of critical infrastructure in a connected world? You know, a world where your grandmother's new “intelligent” refrigerator could be linked to the takedown of the U.S. Federal Reserve or a network-enabled HVAC system could lead to a leak of the health information of an entire legislature. We must ask: What is critical infrastructure and who is touching it?
By now you are aware that the National Institute of Standards and Technology (NIST) released for public comment a draft of version 1.1 of the “Framework for Improving Critical Infrastructure Cybersecurity,” fondly nicknamed by industry insiders as the “CSF” or the “Framework.”
The CSF points to 2013 Executive Order 13636 (EO) on “Improving Critical Infrastructure Cybersecurity” to define critical infrastructure. In reality, that definition comes from the USA PATRIOT Act of 2001.
Let's refresh our memories. Critical infrastructure is defined as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” Seeking to add further clarity, the Presidential Policy Directive accompanying the EO identified the 16 critical infrastructure sectors with which we are all familiar today.
CSF 1.0 clearly recognized the impact of IT and OT convergence on cyber risks. CSF Draft 1.1 goes further. CSF Draft 1.1, consistent with its intent that the CSF be a “living document,” articulates the relevance of cyber supply chain risk. Given the impact third-party ecosystems can have in a connected world, we must assess their security impact on critical infrastructure.
I have long advocated the premise that cybersecurity is not just about information alone. Rather, a comprehensive, flexible architecture and a layered approach across the growing third-party ecosystem for our critical infrastructure is essential to meaningful security. In fact, 87 percent of respondents to the 2016 Deloitte third-party governance and risk management global survey had a disruptive incident linked to a third party in the last two to three years. Moreover, 28 percent of those incidents resulted in major disruptions.
Cyber supply chain risk is addressed in a number of places throughout CSF Draft 1.1. Here are some areas that are worthy of note:
The inclusion of Cyber Supply Chain Risk Management (SCRM) as an element of the organizational tier analysis;
A recognition of the need for customized cyber requirements to address the differences in each third party's products or services, whether IT or OT; and
A discussion of the need for a “prioritized list of organizational cybersecurity requirements.”
Applying risk-based security throughout the third-party ecosystem is paramount. Cybersecurity can only be achieved when successfully intertwined with security technology, physical security and logical security. This layered approach across the supply chain optimizes protection.
The initial step should be identifying end-to-end lifecycle and operational processes. Why? Only by mapping the lifecycle and operational processes across our critical infrastructure can we meaningfully address cyber resiliency throughout it – from design, development, implementation and maintenance to end of life.
Addressing the security of the expanding ecosystem that is touching and, in many cases, a part of critical infrastructure, will deliver greater cyber resilience. I encourage each of you to review CSF Draft 1.1 and provide relevant comments. Ultimately, Cyber SCRM and security depends on all of us.