The Cybersecurity of our Critical Infrastructure: Part Two
This review of the cybersecurity of our commercial, financial, communications, and emergency sectors shed a bit of a different light on alternate problems in cyberspace that must be addressed. While in Part One of this series, much of the cybersecurity was focused on the operational technologies within each sector, these four sectors heavily lean towards protecting systems that hold critical data like credit card and social security information, addresses, and all other PII. These four sectors have come a long way since executive order 13636 was first established, and their tools and techniques differ vastly from those in the chemical, energy, nuclear and food sectors.
So without further adieu. Let's look at the past and present practices of these critical sectors.
Commercial Facilities Sector
The RE-ISAC (Real-Estate Information Sharing and Analysis Center) is a primary tool for cyber risk information to the CF sector. It shares sector specific information from across government sources, including fusion centers, the U.S. Emergency Readiness Team (US-CERT) and the Industrial Control Systems Cyber Emergency Response Team (ICS- CERT)
The cybersecurity in the retail sector webinar provides retail employees and managers with an overview of the cyber threats and vulnerabilities dancing the industry. It also reviews the types of cyber systems and infrastructure used by the retail industry and what retail personnel can do to address the industry’s unique vulnerabilities to those cyber resources
The CF sector launched its cyber working group 2014 to gain better insight into the private sector cybersecurity needs and promote implementation of the NIST cybersecurity framework
This sector has collaborated with the relating sectors like the Financial and Emergency Services to develop crisis response and managements procedures while monitoring the accessibility of financial resources throughout the CF
While these tools and practices at the time were sufficient, the communication’s sector does require some updated cybersecurity practices, especially with the rise of more complex and aggressive cyber threats throughout the globe. It has become apparent that the CF sector still has a way to go when it comes to securing their main source of technological connectivity, the IoT.
Communications Sector
There does not seem to be a sector specific cybersecurity plan for this sector, and like most, they agree to comply with the NIST frameworks and the FCC guidelines for identifying, securing, and mitigating all critical assets and cyber events, however when it comes to the specifics of the tools and techniques used to do this, it is pretty non-existent in the Communications sector- specific plan following EO 13636.
However, with the EO issued by President Biden calling for the improvement of the nation’s cybersecurity. The CSCC and CISA have joined forces to bring the public and private sector in agreement on the crisis action planning, response and mitigation to cyber events with the Enduring Security Framework set in place to secure the national supply chain, 5G infrastructure, Cable, Satellite, and all other methods of mass communication in the United States. They have truly come a long way since 2014 in making cybersecurity a main priority in their overall security plan
Financial Sector
While with the EO 13636 the financial sector planned to adhere to the new NIST Frameworks of 2014, this sector has since become significantly more vigilant in their cybersecurity practices, with the release of the 2022 Cybersecurity Financial System Resilience, this document lays out the practices, procedures, and leadership of the cybersecurity effort on their front. Nationally the FDIC and FFIEC have worked diligently not only to secure their technology and provide mitigation tactics for ransomware, phishing, and data compromising attacks, but also have released many resources to aid local small and mid sized banks to understand and comply with current cybersecurity standards. This includes “Conducting Due Diligence on Financial Technology Companies: A Guide for Community Banks,” “FFIEC Webinar on the Architecture, Infrastructure, and Operations Booklet of the IT Examination Handbook,” “Ransomware Program for Small-to-Mid-Size Financial Institutions” and “Computer- Security Incident Notification ‘Ask the Regulators’ Forum.” These are some fantastic tools laid out for all financial institutions in order to secure one of the most critical sectors, with the most vulnerable personal data. The FDIC has learned from the multitude of attacks posed against our infrastructure daily and have foundationally built the ability to inform, identify, and protect the financial sector to the best of their ability. While Crest has partnered with the FDIC to enhance their cybersecurity practices, our respect for their dedication to cyber health is commendable regardless.
Emergency Services
The ESS from the very beginning was very adamant about their plan to integrate cybersecurity into their risk management plan, outlining their partnership with the CS&C to implement NIST Framework, conduct cyber risk assessments, and work cybersecurity into a long-term constant evolution within the sector. They established the Emergency Services Sector Cyber Risk Assessment to enhance security and resilience of their voice, data, video communications systems, and networks against possible cyber events. They also established a ESS Cybersecurity Best Practices outline for organizations and employees in this sector to protect not only their important assets, but themselves from potential cyber threats. Their vigilance in the early stages of cybersecurity management was quite more comprehensive than other sectors at this point, however not much update to these practices have been made (at least to the public’s knowledge) since. They have implemented an endpoint security program recently, but when it comes to an update in awareness and identification of potentially vulnerable assets, there is not much to report.
Conclusion
Now that we have the information laid out in front of us, it is clear that these four sectors have a ways to go in updating some of the cybersecurity practices. When it comes to unifying the private and public institutions within each structure, it can take ample time to get every to comply with the cybersecurity standards created but due to each sector’s original vigilance, Crest has no doubt there will be extensive progress in fighting against the millions of cyber adversaries looking to infiltrate our critical systems.
Stay tuned next week for part three of our critical infrastructure series, and if you haven’t read the first and second articles in this series, hop to!
As always for more information about Crest Security Assurance please visit the services tab on our website and look out for our weekly blog posts.
Sources:
https://www.cisa.gov/sites/default/files/publications/nipp-ssp-commercial-facilities-2015-508.pdf
https://www.cisa.gov/sites/default/files/publications/nipp-ssp-communications-2015-508.pdf
https://www.cisa.gov/sites/default/files/publications/nipp-ssp-financial-services-2015-508.pdf