Security Integration Improvement – Addressing Cybersecurity Risks
A posit by Langner and Pederson (2013) suggests that putting emphasis on establishing frameworks for risk management, and relying on voluntary participation of the private sector that owns and operates the majority of US critical infrastructure are together a recipe for continued failure. The reason for this is the reliance on the concept of risk management framed as a problem in business logic, which ultimately allows the private sector to argue the hypothetical risk away. The authors suggest that a policy-based approach (vs. a risk-assessment based approach) that sets clear guidelines would avoid perpetuating the problem. They also argue the distinction between a critical and a non-critical systems only contradicts pervasiveness and sustainability of the effort in arriving at robust and well-protected systems.
As was recently asserted by Cardwell (2013) in response to the National Institute of Standards and Technology’s (NIST) “RFI – Framework for Reducing Cyber Risks to Critical Infrastructure” driven by the recent Executive Order “Improving Critical Infrastructure Cybersecurity” (NIST, 2013), the “…issue is the ‘expanding redundant complexity’ of the current approach to the problem domain. While one can appreciate the efforts in gathering more information from the industry at large for establishing and improving frameworks to raise the overall level of cybersecurity across the utility industry, the problem is that it does not address the inherent complexity of the problem. It only exacerbates it by creating yet more administrative requirements for decomposing and resolving the problem domain for each utility.”
Rather than asking every utility to wade through every applicable (to that utility) standard, recommendation, and framework, the assertion suggests that a “single-source” methodology that eliminates redundancy across all frameworks be adopted and provided for addressing the complexity and achieving a Digital Systems Security (DSS) Cybersecurity standard across the US Utility spectrum. Using a single-source tool as litmus, the outcome is a reduction in administrative and redundant efforts otherwise required to manage the information between multiple systems, and serves as a living digital document of the DSS domain, thus simplifying the process further.
One such tool does currently exist: the Cyber Security Evaluation Tool (CSET) (DHS, 2011) by the Department of Homeland Security (DHS), although improvements are still being applied to improve its efficacy. Even with such an application, while the process is certainly not “easy” for any utility, it is relatively simple in comparison to wading through all the various requirements and recommendations, hoping to achieve a full decomposition of each. Simplifying the DSS Cybersecurity process in this fashion will save utilities—both individually and collectively—significant amounts of time, and resources, and could galvanize the DSS efforts for both the regulatory bodies and the utility industry combined.
While establishing such a tool as litmus for evaluating the level of DSS maturity for a given utility, some additional thought went into the subject using the Capability Maturity Model Integration (CMMI Institute, 2010) to assist utilities in that effort. That effort resulted in a modified CMMI model labeled as the Electricity Subsector Cybersecurity Capability Maturity Model (DHS, 2012).