Here is my question for each of us to ponder—with respect to our public and private lives alike. Have we contemplated the parameters of critical infrastructure in a connected world? You know, a world where your grandmother’s new “intelligent” refrigerator could be linked to the takedown of the U.S. Federal Reserve or a network-enabled HVAC system could lead to a leak of the health information of an entire legislature. We must ask: what is critical infrastructure and who is touching it?
By now you are aware that the National Institute of Standards and Technology (NIST) released for public comment a draft of version 1.1 of the “Framework for Improving Critical Infrastructure Cybersecurity,” fondly nicknamed by industry insiders as the “CSF” or the “Framework.”
The CSF points to 2013 Executive Order 13636 (EO) on “Improving Critical Infrastructure Cybersecurity” to define critical infrastructure. In reality, that definition comes from the USA PATRIOT Act of 2001.
CSF 1.0 clearly recognized the impact of IT and OT convergence on cyber risks. CSF Draft 1.1 goes further. CSF Draft 1.1, consistent with its intent that the CSF be a “living document”, articulates the relevance of cyber supply chain risk. Given the impact third party ecosystems can have in a connected world, we must assess their security impact on critical infrastructure.
I have long advocated the premise that cybersecurity is not just about information alone. See Blog Posts. Rather, a comprehensive, flexible architecture and a layered approach across the growing third party ecosystem for our critical infrastructure is essential to meaningful security. In fact, 87% of respondents to the 2016 Deloitte third party governance and risk management global survey had a disruptive incident linked to a third party in the last 2-3 years. Moreover, 28% of those incidents resulted in major disruptions.
- The inclusion of Cyber Supply Chain Risk Management (SCRM) as an element of the organizational tier analysis,
- A recognition of the need for customized cyber requirements to address the differences in each third party’s products or services, whether IT or OT, and
- A discussion of the need for a “prioritized list of organizational cybersecurity requirements.”
As I offered in a blog for the National Cyber Security Alliance, applying risk-based security throughout the third party ecosystem is paramount. Cybersecurity can only be achieved when successfully intertwined with security technology, physical security and logical security. This layered approach across the supply chain optimizes protection.
The initial step should be identifying end-to-end lifecycle and operational processes. Why? Only by mapping the lifecycle and operational processes across our critical infrastructure can we meaningfully address cyber resiliency throughout it—from design, development, implementation and maintenance to end of life.