More information sharing and voluntary collaboration between government and the private sector without additional federal regulations is needed to reduce the risk of cyberattacks on the nation”™s critical infrastructure, cybersecurity experts said at a recent forum on the Fordham University Westchester campus.
Reducing the nation”™s cyber risk was the topic of presentations in March at Fordham and on other campuses around the country as White House officials spread word of a new critical infrastructure cybersecurity framework unveiled by President Obama in February. The 40-page document was prepared by the National Institute of Standards and Technology, acting on an executive order issued by Obama one year earlier.
The U.S. Department of Homeland Security has identified 16 critical infrastructure sectors: chemical, commercial facilities, communications, critical manufacturing, dams, defense industrial base, emergency services, energy, financial services, food and agriculture, government facilities, health care and public health, information technology, nuclear reactors, materials and waste, transportation systems and water and wastewater systems.
The framework serves as a guidebook that provides a set of industry standards and best practices to help organizations manage cybersecurity risks. According to its framers, it “uses a common language to address and manage cybersecurity risk in a cost-effective way based on business needs without placing additional regulatory requirements on businesses.”
“Our goal is not to expand cybersecurity regulations,” said keynote speaker Samara N. Moore, National Security Council director for cybersecurity critical infrastructure protection. “Our goal is to harmonize existing regulations that are out there.”
Federal officials at Fordham called the document a versatile tool that companies can use to manage cybersecurity and identify gaps in their security systems.
“Know what your systems are and how systems and information are used to support delivery of your critical infrastructure services,” Moore advised. Be aware of security gaps in your system and have a contingency plan in place, she said.
Moore said the new framework also applies to critical infrastructure subsectors and “the ecosystem that supports that” such as supply chains. She said the government is encouraging organizations to better understand “the role that they play in the ecosystem.”
Cybersecurity in supply chains “is the number one issue we”™ve been hearing,” said Jon Boyens, senior adviser on information security at the National Institute for Standards and Technology.
With no federal funds budgeted to carry out Obama”™s executive order, the Department of Homeland Security has leveraged its own programs and resources to implement the voluntary framework program for businesses, said Jenny Menna, director of stakeholder engagement and cyber infrastructure resilience at the Department of Homeland Security. “But our intention is that this is something that will be picked up by the market,” she said. She said the department has issued a request for information from companies on how to leverage economies of scale and get out accessible and affordable cybersecurity solutions for the private sector.
For businesses, “Cybersecurity is part of enterprise risk management,” Menna said.
The heightened concern over cyber threats and exposure to attacks in private industry has served to step up business-to-business information sharing, which Moore said federal officials consider “the most valuable sharing.”
At Rockwell Automation Inc., maker of machinery systems for process manufacturing, “We see a changing dialogue with our customers,” said Douglas Wylie the company”™s product security risk management director. “We see an opportunity to work very collaboratively with our customers.”
Wylie said he sees cybersecurity in other business sectors “as a horse race of sorts. You have a bunch of horses and some are farther ahead than others.”
The government”™s cybersecurity framework, said Wylie, “is giving us this common language and common architecture as we move across those boundaries” between mature and young operating systems and embedded devices speaking to each other.
Upgrading system cybersecurity “is a difficult issue in industrial control,” Wylie said. “I say it”™s akin to changing a car tire while you”™re driving down the road.”
