The first was obvious: collaboration must underlie the entire process of creating a cybersecurity framework to improve how critical infrastructure providers protect systems and networks.
But it was the second theme that will set the path forward for how providers and government create the central piece of the executive order, signed by the President on Feb. 14. Industry officials say the cybersecurity framework, which will pull together existing cyber best practices and standards that can be used across all sectors, must go beyond the basics of managing security risks.
Representatives from the critical infrastructure providers told the National Institute of Standards and Technology, which hosted the event at the Department of Commerce in Washington, that most already address the basic risk issues.
“One of the problems that we struggle with is: what is the measure of success? Security is not a binary. It’s not you are secure or you’re not secure,” said Terry Rice, the associate vice president for IT risk management and chief information security officer for Merck. “We struggle to determine precisely where we should be making investments. And it’s not just within IT. It’s also within, if I have a dollar, do I spend it on research on Alzheimer’s or cancer or some other affliction, or do I spend it on protecting my information and systems?”
He added the framework needs to address how best to measure risk.
“I’m not talking about the thousands [of metrics] we have at the tactical level today,” Rice said. “But how do those [come] together to answer questions about risk that will allow us to make decisions about where we make our investments.”
Merck already has an enterprise risk management plan, which looks at the top 10-to-12 risks that could impact the company.
Rice said cybersecurity has become an integral part of that risk discussion.
Economics of cyber
But Rice and others in industry say the framework must take into account the economics of managing risk.
Michael Papay, the vice president for information security and cyber initiatives at Northrop Grumman Information Systems, said there is a constant tug-of-war between economic costs and risk. Every company must come to terms with how much money it needs to invest to mitigate the biggest risks.
Papay said if Northrop’s data is not secure then neither is the government’s or any of their partners such as Lockheed Martin, Boeing, Raytheon and a host of other companies. And, of course, the opposite is true too. If one of Northrop’s partners’ systems is not secure, that puts Northrop at risk just as well.
Papay said the cybersecurity framework can’t lose sight of the economics issue and must provide a critical set of controls to balance all the factors.
Striking this balance will not be easy, but that’s also why Patrick Gallagher, the director of NIST, said the goal is not to reinvent the wheel or, for that matter, standards and best practices.
“Our initial plan is to organize along three main topic areas: managing risk, cyber hygiene and tools and metrics. This is because, based on what we’ve heard already from our stakeholders in government and industry, these are the pieces that will be critical,” Gallagher said. “How do we prepare for the evolving threat? What are the core practices that ought to be considered regardless of your organizational mission? What are the tools and techniques to support those goals?”
Additionally, NIST will work with industry to try to identify and fix gaps in cybersecurity, and develop a process and governance model to ensure the framework is dynamic as threats change.
Major efforts underway
Several representatives at the workshop said their sectors already are taking steps to not only secure their networks and systems, but find the best mix of investment to meet their business needs.
Deborah Kobza, the executive director and CEO of the National Health Information Sharing and Analysis Center, said her group is looking at cyber from an all-hazards perspective.
“We are working with the health sector and have put in place a national cybersecurity council that has both public and private sector health stakeholders on that council,” Kobza said. “We are implementing a national health care and public health cyber response framework.”
The framework is focused on how cybersecurity impacts medical devices, the networks to generate electronic health records and other related technologies.
The government has pushed for health IT over the past decade, including offering $19 billion in reimbursements to doctors and hospitals under the Recovery Act. Kobza said this influx of money exposed a weakness in information assurance, but also the impetus for improvement.
“Over the past couple of years when you look at a lot of reports that have come out on risk and threats and breaches, the health sector is now the number one sector in the number of data breaches that are out there, and it’s only going to get worse,” she said. “Being able to stay on top of intelligence and situational awareness, and moving from a reactive to a proactive stance is incredibly critical for the health sector.”
Kobza said the goal of the public health cyber response framework also is to understand how physical or cyber incidents impact each other, and how best to train people to deal with those attacks.
Michael Arceneaux, the deputy executive director of the Water Information Sharing and Analysis Center, said his organization recently signed an agreement with the Homeland Security Department to improve the information sharing of cyber threat information. But he said right now, there have been few, if any, real cyber attacks against the water system.
Standards are enforceable already
The other issue that the executive order mandated framework is trying to address is what some believe is the inability to enforce the standards among critical infrastructure providers.
NIST hopes that if industry leads the effort to create them, and the government provides incentives, the owners and operators will implement the cyber framework.
But Tim Roxey, the director of the Electricity Sector Information Sharing and Analysis Center and the chief cyber security officer for the North American Electric Reliability Corporation (NERC), said enforcement and the use of standards already is happening today.
He said NERC oversees ANSI-certified processes that include more than 1,100 requirements for physical and cyber reliability.
“It is the largest collaboratively-developed by industry, mandatory and enforceable body of standards on the planet. Think about it. It’s developed by the people who have to implement it and a whole lot of people who are interested in standards. They don’t necessarily have an electric footprint, they are just interested,” Roxey said. “All of these people develop these standards in a collaborative environment. Some would say it’s not enforceable and some would say it’s not mandatory. We’ve heard this over and over again from many people over the last several years. Nay, nay I say. It is enforceable. The voluntary standards and standard setting is not a federal thing. But I’ll tell you what, the enforceability and the back stopping of that enforceability is very much a federal thing.”
He added NERC has a robust information sharing effort already. It does assessments to see how well the ISAC functions and how well people share information back to them.
Roxey said because of the standards, the industry now has common languages that cross into the physical security world as well.
First of four workshops
Yesterday’s NIST workshop was the first of at least four listening sessions with industry to discuss how to create the cybersecurity framework.
Gallagher said other listening sessions will happen May 29-31 in Pittsburgh at the Carnegie Mellon University, and others in July and September in preparation for the draft framework that is due in October.
Along with the workshops, NIST also expects the request for information it released about a month ago to help shape the framework. It already has received dozens of responses. The due date for all information is Monday.
Gallagher said to be successful the framework must find the right balance between business and security, which is similar to what vendors have been pushing about the economics of cybersecurity.