November is Critical Infrastructure Security and Resilience Month. Recently, we shared tips for protecting each designated critical infrastructure sector:
Critical Infrastructure and Public Protection Strategies: Part 1
Critical Infrastructure and Public Protection Strategies: Part 2
In this blog post, we’ll look into what security and resiliency really mean for critical infrastructures such as water monitoring systems and emergency services. We’ll also examine how any organization, regardless of industry, can measure risk and improve its cyber defenses.
Start with infrastructure security
At CIS®, we encourage users to start secure and stay secure. But what does security really mean? For critical infrastructure sectors, security is defined by Presidential Policy Directive 21 (PPD-21):
The terms ‘secure’ and ‘security’ refer to reducing the risk to critical infrastructure by physical means or defense cyber measures to intrusions, attacks, or the effects of natural or manmade disasters.
Organizations can implement security in different ways, including both physical and cybersecurity measures. Examples include:
- Installing ID badge verification at doorways
- Using security fencing around buildings
- Deploying network monitoring
- Locking devices (such as laptops and cell phones) when not in use
Build with resilience
According to the same policy directive (PPD-21), critical infrastructure sectors should strive for resilience:
The term ‘resilience’ means the ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions. Resilience includes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents.
As with security, there are both physical- and cyber-resilience strategies organizations undertake, such as:
- Having a backup power generator
- Developing a business continuity plan
- Building with materials appropriate to the area’s natural risks
- Implementing annual cybersecurity training for employees
Manage the risk
One key concept behind both security and resiliency is managing risk. PPD-21 explains that critical infrastructure “owners and operators are uniquely positioned to manage risks to their individual operations and assets, and to determine effective strategies to make them more secure and resilient.”
Cyber risks include DDoS attacks, malware, phishing scams, data breaches, and more. So how can critical infrastructure sectors and other organizations get prepared? To help organizations understand and mitigate cyber risks, we offer a free resource known as CIS RAM (CIS Risk Assessment Method). CIS RAM helps organizations conduct a cyber risk assessment and implement cybersecurity best practices found in the CIS Controls™. The method provides three pathways based on your organization’s experience with cyber risk:
- For organizations new to risk analysis, CIS RAM provides instructions for modeling threats against the CIS Controls.
- CIS RAM helps organizations more experienced with cybersecurity model threats against information assets.
- For cyber risk experts, CIS RAM offers instructions for analyzing risks based on “attack paths.”
The Road Ahead
Building organizational security and resiliency can be especially challenging when dealing with cyber threats. By conducting a cyber risk assessment, organizations can invest time upfront to ensure they are implementing informed policies and processes. This helps ensure security controls are effective against real-world threats. CIS RAM is one method to help organizations get started and assess against risk-based cybersecurity models.
