Cybersecurity is about much more than just protecting your systems from hackers and unauthorized use. Cybersecurity also encompasses responsible Risk Management and Mitigation strategies. Properly implemented and supported, these strategies can not only protect your critical systems from damage and unauthorized access, but can also make them more resilient. In the event of a breach, a strong focus on resiliency measures will help minimize data loss and system down time, and enable your organization to return to peak capacity as fast as possible with minimal impact on customers and end users.
As we end National Cyber Security Awareness Month and kick off November’s Critical Infrastructure Security and Resilience Month, it’s worth noting that more than 80 percent of America’s critical infrastructure is privately owned. Protecting these critical assets requires focus from both the private and public sectors. In our years of working with critical infrastructure companies, Secure Halo has found increasing recognition of the need to adopt standards such as the federal NIST Cybersecurity Framework. Companies we’ve assessed that were slow to adopt have received lower cyber maturity scores because they do not have security controls across their enterprise to address people, processes and technology. Cyber maturity translates into resiliency – the ability to understand and
recognize risk, and to put processes in place to mitigate it.
Your critical systems and services may be protected by the best network appliances money can buy, but that means little if your equipment isn’t supported by strong management and operational controls. This coordination of controls across domains ensures that you not only have the best technological solution available for your organization’s application, but also the appropriate level of policy support and enforcement, and effective execution on the individual employee level.
NIST 800-53A outlines three classes of Risk Management controls that, when thoughtfully considered, help provide an effective framework for mitigating and managing risks to your critical systems. These three domains are: Technological Controls, Managerial Controls, and Operational Controls.
Technical Controls
NIST defines technological controls as “The security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system.”
In plain language, technical controls encompass everything from the equipment on which you conduct your work, to the equipment that protects your organization. Some other things to keep in mind are:
- Access Controls – Not only how individuals access information systems, but whether those means are responsibly disabled after access has been revoked because of termination, transfer, or “need to know” has ended.
- Identification and Authentication – Employee IDs, PINs, and multi-factor authentication all help to regulate users access to physical as well as network resources. These controls work hand in hand with Access Controls.
Management Controls
Having the best equipment you can afford, and the most appropriate equipment for your application are important. But beyond that, patching, updating, and upgrading your equipment. These should be according to a regular schedule, but that schedule is also contingent on outside factors such as newly discovered vulnerabilities, zero-days, or a breach of your, or a related organization. All of these events can and should push your update schedule, change control, and configuration reviews.
Managerial Controls also govern what users have access to your network, and how they will behave once that access is granted. A well-documented and enforced division of responsibility outlines what roles, responsibilities, and capabilities are expected from and granted to particular sections of your organization.
- Division of responsibility – Division of responsibility has roots in the Principal of Least Privilege, as well as balancing workload. This should be well documented and outlined in user agreements.
- Planning – Security planning doesn’t have to originate from the top, but higher levels of management need to be involved in the development and execution of a comprehensive strategy to safeguard your Information System.
- System and Services Acquisition – Your acquisition strategy should take your current equipment, customer requirements, security plans, and budget into account.
Operational Controls
Operational Controls are the security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by people (as opposed to systems).
- Awareness and Training – Training will often be organized by management, but it will be executed on an operational level. Ensure your personnel are up to date on organizational and cyber security procedures.
- Maintenance – Proper and regular maintenance of network and physical security systems, as well as thorough documentation of the same help ensure your organization is less vulnerable to exploits on all levels.
- Contingency Planning – What happens in the event of a power or service outage or a natural disaster? Have a plan to outline and minimize your Maximum Acceptable Outage time. This is an important part of your Business Continuity Plan.
None of these controls exist in a vacuum. In each case, they must be considered within the context of other classes of risk management controls. While management may set policies at the Technology level they are then executed and operated at the Operational level. Feedback from each level should be encouraged and used to inform decisions on use, purchasing, architecture, and future policy and policy execution.
IT risk management and mitigation is a crucial step toward building resiliency in your critical systems. The knowledge gained will better enable your organization to withstand and recover from any hazards and threats that present themselves. At the end of the day, critical infrastructure security serves not only the organization or business, but also local, state, and national security interests.