NIST is a leader in the critical infrastructure protection field. NIST has been at the forefront of critical infrastructure protection since the 1990s and has been working on it since before that—in response to an executive order issued by President Reagan in 1986, directing federal agencies to assess their own security needs and capabilities. The result was FEMP (Federal Emergency Management Agency) and other organizations such as NIST.
Since then, they’ve made huge strides: from helping establish standards for protecting information systems from cyber-attacks to providing technical assistance; to publishing best practices guides for both public- and private-sector organizations; to developing products that support cybersecurity research efforts over the world.
But the work doesn’t stop there! They’re hard at work developing solutions for emerging problems like autonomous vehicles or artificial intelligence—and we’ll be ready when those challenges come knocking on our door, too (or if you’re lucky enough to live somewhere where these issues aren’t an issue yet).
This article explains the basics of Critical Infrastructure Protection.
The NIST Framework for Improving Critical Infrastructure Security
The NIST Framework for Improving Critical Infrastructure Security is a voluntary, risk-based approach to critical infrastructure protection. It describes a comprehensive and collaborative strategy that can help organizations with existing projects or programs to more effectively manage risk and improve the security of their cyber-physical systems (CPS). This framework defines the functions necessary for managing risk at all levels within an organization’s CPS—from hardware and software to processes and people—and offers five functional areas to address in any risk management effort.
The framework also provides a reference model for security professionals who want to improve their capabilities or train others on how best to implement its concepts into practice.
Addressing Security and Resilience in the Energy Sector
NIST is working on a project to help the energy sector address security and resilience. The Energy Sector Cybersecurity Risk Management Framework (ESCRMF) will guide organizations that manage critical infrastructures, such as oil refineries, pipelines and power plants. The framework helps them decide how best to protect themselves against cyber threats while also safeguarding their day-to-day operations.
Addressing Security and Resilience in the Transportation Sector
In the United States, transportation is a vital part of the national economy, supporting $1.8 trillion to $3 trillion in annual economic activity. It’s also critical to maintaining the health and vitality of the communities; transportation connects us to jobs, goods and services. For example, Transportation networks provide access for millions of people who need it every day—from workers commuting from home to work each morning or visiting family members over the weekend; to students travelling from their dorms at night after class; from parents picking up their kids at daycare centers after work or leaving them there before heading offsite on business trips. Transportation networks are essential for individuals who rely on public transit like buses or trains and individuals who require special accommodations such as wheelchair accessible vans that allow them more freedom than regular taxis would allow them otherwise!
When these networks fail unexpectedly due to natural disasters such as hurricanes/tornadoes/flooding etc., or man-made failures like bridge collapses caused by high winds during severe weather events, then lives are lost because they cannot reach medical care quickly enough (if ever) –or perish in fires caused by damaged power lines within homes that have lost electricity due to downed trees blocking power poles outside their doors!
Addressing Security and Resilience in the Financial Services Sector
The financial services sector is a critical infrastructure sector. It’s significant to understand that the same security and resilience considerations that apply to other critical industries, such as energy or transportation, also apply here. However, financial services organizations have some additional concerns because of the sensitive nature of their data and systems.
- The financial system is the backbone of our economy. If it fails or if cybercriminals can cause its failure (for example, by manipulating stock prices or stealing customer information), it could have devastating effects on individuals, businesses, governments and even whole countries around the world.
- Financial institutions are vulnerable to cyberattacks from multiple sources (including state-sponsored cyber criminals). These attacks can include:
- efforts to steal customer information
- disrupt service delivery
- extort money from institutions through DDoS attacks
- exploit vulnerabilities in payment infrastructure
- Steal proprietary information about how those systems work or use these techniques in combination for maximum impact (for example, DDoS attack followed by extortion).
Addressing Security and Resilience in the Chemical Sector
The Nuclear Sector Cybersecurity Framework’s (NRCSF) three phases include:
- Identify and prioritize risks.This phase involves identifying the risks that could negatively impact an organization and prioritizing them based on their potential severity.
- Mitigate risk.This phase is where you’ll develop a strategy for addressing each of your vulnerabilities and prioritize which ones should be addressed first based on their severity level and the likelihood of occurrence.
- Another is to stay aware of threats and update your plan to address new or emerging risks and any changes in your industry or infrastructure environment that may affect its operation or maintenance.
Addressing Security and Resilience in the Healthcare and Public Health Sector
The healthcare and public health sector is a significant focus of NIST’s efforts to develop a framework to address security and resilience. Specifically, in developing a framework to provide best practices that are evidence-based; support risk management decisions through prescriptive guidance for specific use cases; support continuous improvement by providing a mechanism for ongoing assessment of an organization’s security posture against an ever-changing threat landscape.
NIST is working with the sector to:
- Identify and prioritize cybersecurity needs, including information sharing in support of incident response among hospitals, healthcare centers, and other organizations within the healthcare ecosystem.
- Work with stakeholders across all levels of government—including state and local governments—and private industry on how best to secure patient data while ensuring it remains available for use by authorized users.
Addressing Security and Resilience in the Defense Industrial Base Sector
In addition to providing standards and guidelines for securing the defence industrial base sector, NIST works with industry and government partners to develop tools and best practices for cybersecurity professionals. The following are just a few examples of how NIST helps the defence industrial base sector protect against cyber-attacks:
- NIST hosts an annual Cybersecurity Summit, where they bring together leaders from industry, academia, research labs, and federal agencies with cybersecurity professionals from across the nation to share information about current trends in technologies that threaten our critical infrastructure.
- In 2016, they collaborated with the Department of Homeland Security (DHS) Science & Technology Directorate’s Cyber Security Division (CSD), Sandia National Laboratories’ Life Sciences Division and many more organizations.
We know that these threats sound very intimidating, but they don’t have to be. Your business can protect with the proper security measures and an updated cybersecurity plan.