After a year-long process, the US has issued a framework for managing cyber security risks to critical national infrastructure industries. The Framework for Improving Critical Infrastructure Cybersecurity (the ‘Framework’) was developed by the National Institute of Standards and Technology (NIST) and the Department of Homeland Security (DHS) in response to an executive order by the President of the United States to assist owners and operators in 18 critical infrastructure industries (ranging from energy to transportation and communications) in preparing for, preventing, mitigating, and responding to cyber security threats. The Framework draws heavily on existing standards (such as NIST 800-53 Rev 4, ISO 27001:2013, ISA 62443-2-1:2009, and COBIT 5) and addresses management of cyber security risks “for those processes, information, and systems directly involved in the delivery of critical infrastructure services”. While designed to address US cyber vulnerabilities, the Framework is clear that it is not country specific and was developed to create “a common language for international cooperation on infrastructure cybersecurity”.

The Framework defines 5 core cyber-security ‘Functions’: (i) identify (risks to systems, assets, data, and capabilities); (ii) protect (safeguards to assure continuous operation and delivery); (iii) detect (identify, communicate, and escalate cyber-security threats); (iv) respond (escalate and mitigate cyber-intrusions);  and (v) recover (recovery and restoration of capabilities and services degraded as a result of unauthorised intrusions). Within each Function, the Framework defines Categories (such as ‘Asset Management’, ‘Access Control’ and ‘Detection Processes’) and subcategories (for specific outcomes of technical and/or management activities) with appropriate annotations to Information References (standards, guidelines, policies and practices). Using the Framework, an organisation can map its assets and vulnerabilities, as well as its response and remediation plans.

Apr-Jun 2014 Issue

Dickinson Wright PLLC