The national and economic security of the United States depends on the reliable functioning of critical infrastructure. To strengthen the resilience of this infrastructure, President Obama issued Executive Order 13636 (EO), Improving Critical Infrastructure Cybersecurity, on February 12, 2013.1 This Executive Order calls for the development of a voluntary Cybersecurity Framework (Framework) that provides a prioritized, flexible, repeatable, performance-based, and cost-effective approach to manage cybersecurity risk for those processes, information, and systems directly involved in the delivery of critical infrastructure services. The Framework, developed in collaboration with industry, provides guidance to an organization on managing cybersecurity risk. Critical infrastructure is defined in the EO as systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters. Due to the increasing pressures from external and internal threats, organizations responsible for critical infrastructure need to have a consistent and iterative approach to identifying, assessing, and managing cybersecurity risk. This approach is necessary regardless of an organizations size, threat exposure, or cybersecurity sophistication today. The critical infrastructure community includes public and private owners and operators, and other entities with a role in securing the Nations infrastructure. Members of each critical infrastructure sector perform functions that are supported by information technology (IT) and industrial control systems (ICS).2 This reliance on technology, communication, and the interconnectivity of IT and ICS has changed and expanded the potential vulnerabilities and increased potential risk to operations. For example, as ICS and the data produced in ICS operations are increasingly used to deliver critical services and support business decisions, the potential impacts of a cybersecurity incident on an organizations business, assets, health and safety of individuals, and the environment should be considered. To manage cybersecurity risks, a clear understanding of the organizations business drivers and security considerations specific to its use of IT and ICS is required. Because each organizations risk is unique, along with its use of IT and ICS, the tools and methods used to achieve the outcomes described by the Framework will vary. Recognizing the role that the protection of privacy and civil liberties plays in creating greater public trust, the Executive Order requires that the Framework include a methodology to protect individual privacy and civil liberties when critical infrastructure organizations conduct cybersecurity activities. Many organizations already have processes for addressing privacy and civil liberties. The methodology is designed to complement such processes and provide guidance to facilitate privacy risk management consistent with an organizations approach to cybersecurity risk management. Integrating privacy and cybersecurity can benefit organizations by increasing customer confidence, enabling more standardized sharing of information, and simplifying operations across legal regimes.
Cited By
- Dutta A and Al-Shaer E Cyber defense matrix Proceedings of the 6th Annual Symposium on Hot Topics in the Science of Security, (1-2)
- Kikuchi M and Okubo T Cyber Governance Complex in Firms Proceedings of the 2nd International Conference on Control and Computer Vision, (116-120)
- Alali M, Almogren A, Hassan M, Rassan I and Bhuiyan M (2018). Improving risk assessment model of cyber security using fuzzy logic inference system, Computers and Security, 74:C, (323-339), Online publication date: 1-May-2018.
- Ahmed Y, Naqvi S and Josephs M Aggregation of security metrics for decision making Proceedings of the 12th European Conference on Software Architecture: Companion Proceedings, (1-7)
- Chang K and Seely B The challenging nexus of technology and security in transportation management center operations Proceedings of the Fifth Cybersecurity Symposium, (1-9)
- Angelini M, Blasilli G, Lenti S and Santucci G Visual exploration and analysis of the italian cybersecurity framework Proceedings of the 2018 International Conference on Advanced Visual Interfaces, (1-3)
- Cayetano T, Dogao A, Guipoc C and Palaoag T Cyber-Physical IT Assessment Tool and Vulnerability Assessment for Semiconductor Companies Proceedings of the 2nd International Conference on Cryptography, Security and Privacy, (67-71)
- Han J, Kim Y and Kim H (2017). An integrative model of information security policy compliance with psychological contract, Computers and Security, 66:C, (52-65), Online publication date: 1-May-2017.
- Stine I, Rice M, Dunlap S and Pecarina J (2017). A cyber risk scoring system for medical devices, International Journal of Critical Infrastructure Protection, 19:C, (32-46), Online publication date: 1-Dec-2017.
- Meszaros J and Buchalcevova A (2017). Introducing OSSF, Computers and Security, 65:C, (300-313), Online publication date: 1-Mar-2017.
- Zou B, Gao M and Cui X Research on Information Security Framework of Intelligent Connected Vehicle Proceedings of the 2017 International Conference on Cryptography, Security and Privacy, (91-95)
- Hunter D, Parry J, Radke K and Fidge C Authenticated encryption for time-sensitive critical infrastructure Proceedings of the Australasian Computer Science Week Multiconference, (1-10)
- Das A, Voorhees D, Choi C and Landwehr C Cybersecurity for Future Presidents Proceedings of the 2017 ACM SIGCSE Technical Symposium on Computer Science Education, (141-146)
- Burns A, Johnson M and Honeyman P (2016). A brief chronology of medical device security, Communications of the ACM, 59:10, (66-72), Online publication date: 22-Sep-2016.
- Heartfield R and Loukas G (2015). A Taxonomy of Attacks and a Survey of Defence Mechanisms for Semantic Social Engineering Attacks, ACM Computing Surveys, 48:3, (1-39), Online publication date: 8-Feb-2016.
- Mashkoor A and Sametinger J Rigorous modeling and analysis of interoperable medical devices Proceedings of the Modeling and Simulation in Medicine Symposium, (1-8)
- Armitage W, Gauvin W and Sheffield A Design and Launch of an Intensive Cybersecurity Program for Military Veterans Proceedings of the 17th Annual Conference on Information Technology Education, (40-45)
- Wohlgemuth S Is Privacy Supportive for Adaptive ICT Systems? Proceedings of the 16th International Conference on Information Integration and Web-based Applications & Services, (559-570)
- Sharbaf M A New Perspective to Information Security Proceedings of the 7th International Conference on Security of Information and Networks, (56-60)
Recommendations
Critical infrastructure dependencies
The proper functioning of critical infrastructures is crucial to societal well-being. However, critical infrastructures are not isolated, but instead are tightly coupled, creating a complex system of interconnected infrastructures. Dependencies between ...
Vulnerability Assessment for Critical Infrastructure Control Systems
Assessing security in critical control systems is a particular task that can have dangerous real-world consequences if done poorly or according to more traditional security assessments. In 2006, the North American Electric Reliability Corporation ...