New guidelines for building cyber into critical infrastructure

Two government agencies and a public/private partnership issued recommendations -- and some new requirements -- for building cybersecurity into the systems, controls and platforms that underpin critical infrastructure.

The National Institute of Standards and Technology, which is also developing an overarching federal cybersecurity framework, convened workshops earlier this year with the nonprofit Cyber Security Research Alliance to create a road map for designing built-in critical infrastructure security. The group -- a mix of representatives from government, industry and academia -- released a comprehensive report Nov. 20 that highlights ways to secure vulnerable public-facing IT systems.

The joint NIST/CSRA report comes on the heels of a Nov. 18 memo from the Office of Management and Budget that provides a framework for federal agencies to use to manage risk and continuously monitor critical IT networks and systems.

"It's important to point out that cyber-physical systems pretty much touch our lives in just about everything we do today," said Lee Holcomb, president of CSRA and director of transformation integration at Lockheed Martin. "They include all modes of transportation, energy, health care, consumer electronics. Pretty much everything we do on a daily basis in some way touches some part of CPS. Protecting those systems is really important, and that was what we took on."

CSRA and the recent report focus on CPS, which includes IT systems that support industrial controls, data communications and public utilities. The report's findings target the establishment and improvement of common taxonomy, architectures, metrics, best practices, standards, interoperability, and other methods to improve systems' resiliency and encourage cybersecurity efforts. It also calls for the establishment of CPS curricula to ensure that the workforce has adequate skills and expertise.

Holcomb added that CSRA members are conducting further research and implementing numerous findings in the report. Meanwhile, OMB has chosen a phased approach and set a 2017 deadline for agencies to deploy information security continuous monitoring (ISCM) tools that provide dynamic and proactive cybersecurity. OMB's memo also specifies the use of strategic sourcing to "minimize the costs associated with implementing requirements of the risk management framework."

The memo includes eight steps for instituting ISCM across the government and assigns specific responsibilities to the Department of Homeland Security and NIST, including the establishment of a federal dashboard for ISCM, coordination with the PortfolioStat and CyberStat programs, and ongoing guidance.

"By strengthening the underlying information technology infrastructure through the application of state-of-the-art architectural and engineering solutions, and leveraging automation to support the implementation of the risk management framework (which includes the ongoing monitoring of security controls), agencies can improve the effectiveness of the safeguards and countermeasures protecting federal information and information systems in order to keep pace with the dynamic threat landscape," OMB Director Sylvia Burwell wrote in the memo.