On 12 February 2013 President Obama issued Executive Order 13636, titled “Improving Critical Infrastructure Cybersecurity.” The executive order instructed the National Institute of Standards and Technology (NIST) to develop a voluntary cybersecurity framework that would provide a “prioritized, flexible, repeatable, performance-based, and cost-effective approach for assisting organizations responsible for critical infrastructure services to manage cybersecurity risk.
The definition of “critical infrastructure” in the executive order is:
“Systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters”
The state of cybersecurity
Given the availability of a variety of standards for cybersecurity management, people have asked why a cybersecurity framework is required. Furthermore, many of these standards have been in existence for many years. Many people believe that the requirements of these standards are being followed, so further similar standards will not help.
There are many publicly available reports on cybersecurity attacks, and there has been a common theme throughout these for the past few years, exemplified by these statistics from Verizon’s breach reports of 2012 and 2013:
- Ninety seven percent were avoidable with basic or intermediate security controls (2012).
- Ninety two percent were discovered by a third party (2012).
- Twenty percent of network intrusions involved manufacturing, transportation, and utilities (2013).
- Seventy six percent of network intrusions exploited weak or stolen credentials (2013).
- So despite the availability of standards, it is clear that many organizations are not applying them to the degree required.
The Repository of Industrial Security Incidents produces an annual report that focuses specifically on industrial control systems (ICS). These reports have similar conclusions to those from Verizon. The 2013 annual report stated that 33 percent of all ICS incidents were perpetrated using remote access.
The Verizon report from 2012 has staggering temporal statistics relating to cybersecurity attacks. In 2012, 75 percent of attacks took just minutes to result in an organization being compromised. At the same time, 54 percent of these compromises took months to be discovered (and as noted, 92 percent of these discoveries were not by the organization itself). Even after this lengthy delay, in 17 percent of cases a discovery took months before restoration was achieved, and in 38 percent of cases it took weeks.
The statistics from Verizon cover all sectors and industry types. Within industrial automation-oriented sectors, the situation varies considerably. Many such organizations have mandatory cybersecurity standards (i.e., NERC CIP in the power industry), and their cybersecurity management programs are good. However many organizations that have a potentially high impact on critical infrastructure (e.g., water or wastewater organizations) have a much lower degree of cybersecurity management adoption.
There are many reasons for this situation, and they include:
- lack of awareness in organizations, in particular at the top of the organization
- misunderstanding the level of risk an organization has (e.g., “that only happens to other companies,” “this has never happened before”)
- inability to quantify the risk in likelihood or impact terms, resulting in inappropriate level of investment
- lack of adequate training in cybersecurity good practice, especially in regards to basic controls, such as good password management, backups, and malware protection
The purpose of the NIST Cybersecurity Framework is to help tackle some of these issues. The cybersecurity framework is not another standard. Instead it is a high-level concept that brings together relevant standards and sets them in an appropriate context.
A version of this article also was published at InTech magazine.