Cybersecurity threats exploit the increased complexity and connectivity of critical infrastructure systems, placing organisations at risk. It can drive up costs, impact revenue and harm an organisation’s ability to innovate, gain and maintain customers.
The US government and private sector have collaborated to produce an order for improving critical infrastructure cybersecurity. The resulting ‘framework’, released this month, enables organisations to apply the principles and best practices of risk management to improve the security and resilience of critical infrastructure.
The Framework is adaptive to provide a flexible and risk-based implementation that can be used with a broad array of cybersecurity risk management processes, to include International Organisation for Standard (ISO).
The Framework, using 3 components, can help to identify and prioritise actions for reducing cybersecurity risk, and as a tool for aligning policy, business and technological approaches to managing that risk:
1. Framework Core – A set of cybersecurity activities and references that are common across critical infrastructure sectors and are organised around particular outcomes. The Framework Core comprises of four types of elements: Functions, Categories, Subcategories and Informative References.
2. Framework Implementation Tiers – A lens through which to view the characteristics of an organisation’s approach to risk – how an organisation views cybersecurity risk and the processes in place to manage that risk.
3. Framework Profile – A representation of the outcomes that a particular system or organisation has selected from the framework categories and subcategories.
The Framework can serve as a foundation for a new cybersecurity programme or as a mechanism for improving an existing programme. These 7 steps illustrate how your business can use the Framework to develop a roadmap to strengthen its cybersecurity.
Step 1: Prioritise and Scope – Identify your business/mission objectives and organisational priorities. Then make strategic decisions regarding cybersecurity implementations and determine the systems and assets that support the business process.
Step 2: Orient – Once the scope of the cybersecurity programme has been determined, you can identify related systems and assets, regulatory requirements and overall risk approach. You must then identify threats and vulnerabilities of those systems and assets.
Step 3: Create a current Profile – Develop a current profile using the Framework Core, identifying which categories and subcategory outcomes are currently being achieved.
Step 4: Conduct a Risk Assessment – Using the current risk management process or previous risk assessment activities, analyse the business operational environment to discern the likelihood of a cybersecurity event and the impact of such an event. You must incorporate emerging risks and threat to vulnerability data.
Step 5: Create a Target Profile – Create a target profile that focuses on the assessment of the Framework categories and subcategories describing desired cybersecurity outcomes.
Step 6: Determine, Analyse and Prioritise Gaps – Compare the current profile and target profile to determine gaps. Next create a prioritised action plan to address those gaps, drawing upon mission drivers, cost/benefits analysis and an understanding of risks to achieve the outcomes in the target profile.
Step 7: Implement Action Plan – Determine which actions to take in regards to the gaps and monitor its current cybersecurity practices against the target profile. The Framework will identify example ‘Informative References’ regarding the categories and subcategories; you can determine which standards, guidelines and practices work best for your business.
These steps should be repeated to continuously assess and improve business cybersecurity.