Cybersecurity of Our Critical Infrastructure: Part Four

Written By Ashad El

The Defense Industrial Base, Government Facilities, Healthcare and Public Health, and  Information Technology sectors keep our country running.  Every day people rely on the ability of our government, and its partnerships with private institutions to complete the necessary security protocols to keep our country safe and stable. This is why Crest covered these four sectors specifically in this fourth edition of the Cybersecurity of Our Critical Infrastructure series; we are dedicated to giving you total transparency over the planning and mitigating of operational and informational technologies. 

To read the previous articles in this series visit CrestBlog!



Defense Industrial Base Sector


The DIB sector has been working since before EO 13636 issued in 2015, going back as far as 2007 with their establishment of the DoD DIB CS/IA (Department of Defense, Defense Industrial Base Cybersecurity and Information Assurance). The DIB CS/IA was a collaborative effort between the DoD and Cleared Defense Contractors (CDCs) to protect critically, unclassified DoD program technology information inhabiting, or transitioning, DIB unclassified systems and networks. It is a voluntary program for the part private sector members of the DIB. It is executed at the corporate level under a bilateral agreement between the DID CIO and individual DIB companies. The program became a model for the DHS cyber threat information sharing with other critical sectors. 


In 2010 the DIB released a comprehensive sector plan touching more on how they want the DoD DIB CS/IA program to excel in the next few years. These desired updates are as follows:


  • Continue to improve CS/IA measures to protect unclassified DoD program or technology information residing on or transitioning DIB unclassified systems or networks. Accomplish this through cyber threat information sharing between DoD and DIB partners, IA measures, and identifying new technologies that enable detection, prevention, and response to cyber intrusions.

  • Assess technological (and intellectual property) losses when unclassified Critical Program Information is lost, and support changes in contract language through FAR (Federal Acquisition Regulation)  and DFAR (Defense Federal Acquisition Regulation) modifications to mitigate further losses. 

  • Continue to leverage the results of specific cyber threat sharing and incident reporting to generate valuable real-time data that can be assessed and distributed (without company attribution) to participating DIB members.

  • Continue the phased transition of DIBNet to the DISA (Defense Information Security Administration) infrastructure.

  • Continue risk assessment and mitigation activities through DCISE (DoD-Defense Industrial Base Collaborative Information Sharing Environment) operations and DoD cyber intrusion damage assessment activities, and incorporate findings into alerts, cyber intrusion damage assessment reports, and other appropriate threat information products in support of improved cyber incident detection, prevention, and response actions.

  • Continue to extend the program to qualified CDCs in support of increased threat awareness, incident reporting, and protection of program and technology information.

  • Partner with DHS in its adoption of the DoD DIB CS/IA program cyber threat information-sharing model

  • Expand and mature the DoD DIB CS/IA cyber threat information-sharing process

  • Continue to support the development of acquisition and contracting policy to update the FAR and DFARS as appropriate, and to implement specific information protection language in defense contracts. Support the public meeting for the Advance Notice of Proposed Rulemaking and the public comment period. 

  • Support DIB Sector cybersecurity efforts enabling long-term protective planning for cyber elements and supporting DIB Sector efforts in characterizing DIB cyber elements and identifying cyber infrastructures, functions, or elements; identifying cyber dependencies and interdependencies; and prioritizing DIB cyber programs and initiatives, as appropriate. 

  • Measure the progress of cybersecurity metrics

  • Continue to implement the program in allowing eligible private sector employees to enroll at the Defense Cyber Investigations Training Academy at the Defense Cyber Crime Center in accordance with the National Defense Authorization Act for FY2010



Government Facilities Sector


In the 2015 Sector Specific Plan published by the GFS, there was a plethora of support and guidance on how the sector would handle the accelerating potential cyber threats on the global stage. This sector’s importance in the affairs of most mundane government activities makes cybersecurity an imperative part of life's functionality. Within the document, they identified and tiered their most valuable assets and how they should be protected. This entails:

  • Network Infrastructure Protection

    • Security provisions of routers, switches, and backbone network protocols

    • Virtual private networks

    • Security domains, firewalls, and demilitarized zones

    • Remote access protections

  • Enterprise Security Management

    • Technologies for collection, analysis, and correlation of security-relevant data; assessing vulnerabilities; installing, patching, and managing configuration; detection, alerting and responding to security events; and incident tracking, evidence gathering, and forensic investigation

    • Security-relevant aspects of services’ continuity, including physical system location and protection, system and data backup, backup storage and protection, and recovery procedures and testing

  • Enterprise access

    • Identification and authentication

    • Account management, password management, provisioning, and single sign-on

    • Access controls based on the user account, role, group, and other static or dynamic information

    • Policy definition, enforcement, and testing tools

    • Auditing

    • Non-repudiation services

  • Server and Host Protection

    • Hardening of end systems and key infrastructure components

    • Integrity detection/assurance tools

    • Malicious code scanning and filtering 

    • Host-based vulnerability assessment, prevention, detection, and monitoring

    • Host-based encryption and secure operating systems

  • Application Protection

    • Application-level identification, authentication, access control, encryption, and auditing

    • Application hardening, wrappers, and middleware security provisions

    • Application integrity detection/assurance and vulnerability assessment tools

  • Data Protection

    • Security services and mechanisms, such as database configuration and management

    • Database directory services

    • Database access control, auditing, event correlation, and alerting

    • Database survivability


Healthcare and Public Health Sector


The 2016 release of the HPH Sector Cybersecurity Plan expands on cybersecurity practices begun in 2007. The partnership formed between the HPH Sector and the DHS CS&C strengthened the sector’s cybersecurity efforts by

  • Efforts in collaboration with DHS CS&C to support the Critical Infrastructure Cyber Community Voluntary Program, which serves as the coordination point within the Federal Government for critical infrastructure owners and operators interested in improving their cyber risk management processes. The program supports Sector partners in cyber resilience and the Sector’s awareness and use of the NIST Framework for Improving Cyber Infrastructure Cybersecurity

  • Identification and ongoing review of HPH Sector critical cybersecurity functions and services as part of the Cyber-Dependent Infrastructure Identification effort mandated E.O. 13636. This effort identified Sector critical functions that were validated by Sector subject matter experts

  • Incorporation of cybersecurity considerations as part of the Sector Risk Assessment Methodology effort to help inform sector-specific risk management strategies and decision-making and to provide a linkage between national and organizational cyber risk management efforts

  • Establishment of a joint GCC-SCC WG (Government Coordinating Councils- Sector Coordinating Councils Working Group) to focus on preparedness and response to cyber threats across the Sector

  • Expansion of cybersecurity expert participation in the HPH Sector partnership and expanded focus on cybersecurity information sharing– including threat, response, mitigation, and remediation information– among Sector partners through the services provided by ISACs and ISAPs such as the NH-ISAC and HITRUST

  • Development of guidance, in coordination with DHS, for sector-specific tailoring and implementation of the NIST Cybersecurity Framework

  • Collaboration with members of the Health Information Technology Subsector to coordinate the Sector’s implementation of E.O. 13691, Improving Private Sector Information Sharing

  • Development of cyber concept of operations (CONOPS) to explain the actions taken if a private sector entity reports a breach or cyber attack. This cyber CONOPS will address how HHS (in its SSA role) coordinates and collaborates with industry and Federal partners via incident management, information sharing, and cybersecurity efforts.

  • Coordination and encouragement of Sector participation in planning and conducting the Cyber Storm exercise series

  • Pursuant to E.O. 13636, support the ODIN in the development and issuance of unclassified reports of cyber threats to the U.S. homeland that identify specific targeted HPH Sector entities


Information Technology Sector


The information technology sector, the final sector we’ll be discussing in this series, is the closer for very obvious reasons. This sector is single-handedly responsible for the way all sectors choose to implement and handle technology in their organizations, and shaping the guidelines for executing maximum standards of cybersecurity. It is through the NIST Critical Infrastructure Cybersecurity Framework published in 2014 that the IT Sector was able to firmly establish its cybersecurity implementation and play the role of the frontrunner for other sectors in our infrastructure.  In fact, due to their understanding of the volatility in the IT sector if compromised, they have openly stated that their cybersecurity frameworks and sector-specific plan will be updated every four years. 


Earlier this year, the release of the Information Technology (IT) System Planning (PL) Standard outlined the identification, mitigation, planning, and awareness of all necessary cybersecurity processes for the sector. The system security and privacy plans for the sector were particularly intriguing for Crest disclosing their development plans for systems that:

  • Are consistent with the organization’s enterprise architecture

  • Explicitly define the constituent system components

  • Describe the operational context of the system in terms of mission and business processes

  • Identify the individuals that fulfill system roles and responsibilities

  • Identify the information types processed, stored, and transmitted by the system

  • Provide the security categorization of the system that were of concern to the organization

  • Provide the results of a privacy risk assessment for systems processing personally identifiable information

  • Describe the operational environment for the system and any dependencies on or connection to other systems or system components

  • Provide an overview of the security and privacy requirements for the system

  • Identify any relevant control baselines or overlays, if applicable

  • Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions

  • Include security- and privacy-related activities affecting the system that requires planning and coordination with other individuals or groups within the organization including but limited to, those responsible for assessments, audits, inspections, hardware and software maintenance, acquisition and supply chain risk management, patch management, and contingency plan testing, as required

  • Are reviewed and approved by the authorizing official or designated representative before plan implementation

  • Distribute copies of the plans and communicate subsequent changes to the plans to personnel with cybersecurity and privacy responsibilities, including but not limited to the Authorizing Official (AO) or AO delegate, ISSO, and ISO

  • Review the plans at least annually or when a major change occurs to the system

  • Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments 

  • Protect the plans from unauthorized disclosure and modification

The sector also emphasizes the use of the Cyber Security Assessment and Management (CSAM) tool as the authoritative source for developing, managing, and maintaining the Department’s IT systems; the system of record for FISMA reporting; and the enterprise tool used to support Assessment and Authorization processes. 


Conclusion: 


We come to the end of our deep dive into the sector-specific cybersecurity practices of our critical infrastructure. In the future, we expect multiple innovations in the cybersecurity of the Operational and Informational technologies within each sector, focusing on internal and external threats like phishing and ransomware attacks, prioritizing multifactor authentication, and even the full implementation of Zero Trust Architecture (if you're not sure about the specifics or positives of Zero Trust click here). Multiple updates within every sector should be made closer to 2024 since the cybersecurity updates were called for by the DHS and White House earlier this year. We’ll take a look at the current trends and predictions of cybersecurity in the critical infrastructure sectors in the final article of the critical infrastructure series.  


Until then, keep on the lookout for more CrestBlog articles, and make sure to visit Crest Security Assurance on our webpage to learn more about our business and dedication to cyber health. 


Sources


https://www2.ed.gov/fund/contract/about/acs/2022-pl-planning-standard-signed.pdf

https://www.gao.gov/assets/gao-22-105103.pdf

https://ndiastorage.blob.core.usgovcloudapi.net/ndia/2014/cyber/Michetti.pdf

https://www.acq.osd.mil/cmmc/docs/DIB-CS-Activities-Placemat_Quad-Chart.pdf

https://www.cisa.gov/sites/default/files/publications/nipp-ssp-defense-industrial-base-2010-508.pdf

https://www.cisa.gov/sites/default/files/publications/nipp-ssp-government-facilities-2015-508.pdf

https://www.cisa.gov/sites/default/files/publications/nipp-ssp-healthcare-public-health-2015-508.pdf

https://www.cisa.gov/sites/default/files/publications/nipp-ssp-information-technology-2016-508.pdf

https://www.youtube.com/watch?v=gPXfbAUSUFo


Ashad El
Previous

Cybersecurity of Our Infrastructure: Series Conclusion
Next

Cybersecurity of Our Infrastructure: Part Three