In 2013 President Obama issued Executive Order 13636, titled “Improving Critical Infrastructure Cybersecurity.” The executive order instructed the National Institute of Standards and Technology (NIST) to develop a voluntary cybersecurity framework that would provide a “prioritized, flexible, repeatable, performance-based, and cost-effective approach for assisting organizations responsible for critical infrastructure services to manage cybersecurity risk.
The definition of “critical infrastructure” in the executive order is:
“Systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters”
The state of cybersecurity
Given the availability of a variety of standards for cybersecurity management, people have asked why a cybersecurity framework is required. Furthermore, many of these standards have been in existence for many years. Many people believe that the requirements of these standards are being followed, so further similar standards will not help.
There are many publicly available reports on cybersecurity attacks, and there has been a common theme:
- Ninety seven percent were avoidable with basic or intermediate security controls.
- Ninety two percent were discovered by a third party.
- Twenty percent of network intrusions involved manufacturing, transportation, and utilities.
- Seventy six percent of network intrusions exploited weak or stolen credentials.
- So despite the availability of standards, it is clear that many organizations are not applying them to the degree required.
The Repository of Industrial Security Incidents produces an annual report that focuses specifically on industrial control systems (ICS). These reports have similar conclusions to those from Verizon. T
The statistics from Verizon cover all sectors and industry types. Within industrial automation-oriented sectors, the situation varies considerably. Many such organizations have mandatory cybersecurity standards (i.e., NERC CIP in the power industry), and their cybersecurity management programs are good. However many organizations that have a potentially high impact on critical infrastructure (e.g., water or wastewater organizations) have a much lower degree of cybersecurity management adoption.
There are many reasons for this situation, and they include:
- lack of awareness in organizations, in particular at the top of the organization
- misunderstanding the level of risk an organization has (e.g., “that only happens to other companies,” “this has never happened before”)
- inability to quantify the risk in likelihood or impact terms, resulting in inappropriate level of investment
- lack of adequate training in cybersecurity good practice, especially in regards to basic controls, such as good password management, backups, and malware protection
The purpose of the NIST Cybersecurity Framework is to help tackle some of these issues. The cybersecurity framework is not another standard. Instead it is a high-level concept that brings together relevant standards and sets them in an appropriate context.
ISA Cybersecurity Resources
ISA offers standards-based industrial cybersecurity training, certificate programs, conformity assessment programs, and technical resources. Please visit the following ISA links for more information:
- ISA Global Cybersecurity Alliance
- Cybersecurity Resources Portal
- Cybersecurity Training
- Cybersecurity Blog Posts
- IEC 62443 Conformance Certification
- ISA Suite of Security Standards
- ISA Family of Standards
- ISA/IEC 62443 Cybersecurity Certificate Programs
- Industrial Cybersecurity Technical Resources Brochure