Over the past year there has been a significant increase in the number and frequency of cyber-attacks on major retailers, social media sites, and financial institutions. From identity theft and credit card fraud to denial of service, these cyber criminals are starting to disrupt our lives in small but troubling ways. What happens when those cyber-attacks move into areas of critical infrastructure like power, water, electricity, and communications? Attacks on our nation’s critical infrastructure could affect millions of people in a catastrophic way.
To address these concerns, President Obama issued an Executive Order last year aimed at strengthening the cybersecurity of the nation’s critical infrastructure. The EO tasked the National Institute of Standards and Technology (NIST) with developing a voluntary cybersecurity framework, the Department of Homeland Security (DHS) with helping to promote the adoption of the framework, and regulatory agencies with reviewing and commenting on regulations as they relate to the framework. Critical infrastructure is owned and operated by both government and industry partners. In order to address cybersecurity needs NIST, DHS, and the FCC need to partner and work hand-in-hand with industry to accomplish these tasks.
Over the 12 months following the EO, NIST conducted five workshops around the country and invited private industry, government, and academia to work together to develop a cybersecurity framework to help increase the strength and resiliency of the nation’s critical infrastructure. The framework would be based on industry standards and best practices and addressed cybersecurity capabilities from the top level of an organization (c-suite) to the bottom.
CableLabs, along with several cable member companies, attended and participated in all of the NIST framework workshops. The cable industry provided input and guidance on the processes and procedures that were included in the framework’s design. They would meet regularly with the NIST team to discuss concerns as they applied to the cable industry and provide direction in addressing those concerns. After each release of a framework draft, CableLabs and the member companies provided comments and suggested modifications. The first version of the framework was released by NIST this past February and has received rave reviews from both industry and government as a great first step in raising the security posture of this country’s cybersecurity.
Once the framework was completed, DHS launched the Critical Infrastructure Cyber Community (C3) Voluntary Program. The Voluntary Program consists of three major activities: Supporting the use of the framework, outreach and communications to industry and stakeholders, and feedback into future versions of the framework. DHS is willing to work with stakeholders in understanding the use of the framework and other risk management efforts, as well as help develop guidance for implementing the framework. They will be providing tools to help organizations determine their current cybersecurity capability level and use the framework to fill in the gaps. They will then take the lessons learned from their work with industry and feed it back into the framework to continually evolve it as industries and technologies move forward.
CableLabs and other cable members are actively participating in the Voluntary Program, working with DHS to evolve the framework for the cable industry and provide lessons learned on use of the framework in the cable industry.
In support of the EO directive, the FCC has assigned Working Group 4 (WG4) to focus on using and adopting the framework into the communication sector under the Communication Security, Reliability, and Interoperability Council (CSRIC) IV. The objective of WG4 is to review the best practices developed during CSRIC efforts and determine if there are any gaps or updates needed in support of the framework. The group has been divided into four sub-groups to focus on interdependent initiatives. Those subgroups are: Segment common practice framework alignment, business security management, barriers to implementation, and shared ecosystem responsibilities. Each subgroup will focus on their area but will collaborate with each other.
CSRIC IV’s official kickoff meeting for Working Group 4 was March 18. CableLabs and several cable companies are involved in various working groups under the CSRIC IV. CableLabs has been identified as a co-chair focusing on small to medium size businesses and impediments to using the framework. We will be working across the subgroups to provide insight in each area from a small to mid-size company perspective.
CableLabs will be working with our member companies to help them understand and use the framework strategies to help protect their networks as well as their customer data. We will continue to work with NIST, DHS, and the FCC to provide feedback on the integration efforts and to help drive the evolution of the framework.
With this type of teamwork, along with thoughtful leadership, the United States will be able to protect its critical infrastructure from the types of cyber-attacks that have been dominating recent headlines.
By Susan Joseph, Principal Security Architect, CableLabs –