The Future of Critical Infrastructure Cyber Security in North America?
I’ve just read the Joint Statement from President Donald J. Trump and Prime Minister Justin Trudeau after their meeting today (February 13th, 2017).? There were a couple of references that I found interesting regarding cyber security that I think should be investigated and understood from a Canadian perspective.
The main take away sentence is the following:
?Given the integrated nature of the infrastructure that supports our intertwined economies, cyber threats to either country can affect the other. We therefore commit to further cooperation to enhance critical infrastructure security, cyber incident management, public awareness, private sector engagement, and capacity building initiatives.?
This is interesting stuff.? In order for Canada to enhance critical infrastructure security and cyber incident management, it would imply to me that Canadian Governments and private companies who manage critical infrastructure in Canada are going to need to get on board with some of the Standards used in the United States.? I?m going to go over a couple of these here:
The first one is called NIST (National Institute of Standards and Technology) 800-53, the “Security and Privacy Controls for Federal Information Systems and Organizations”.? This document is actually ?leveraged? by the Canadian Federal Government today.? The Canadians call it ITSG-33.? Basically put, Canada adds a couple of controls of their own and translates it.? For all intents and purposes, it?s the exact same document.
The next one is a bit more interesting in that I?m not sure of any departments or private players in Canada use it.? NIST has created a Framework For Improving Critical Infrastructure Cybersecurity.? It relies on a Cyber Security Framework (CSF) that deals with the following high-level capabilities:
Identify ? Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
Protect ? Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
Detect ? Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
Respond ? Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.
Recover ? Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.
I can tell you with great certainty that American companies today that deal with critical infrastructure are using the NIST CSF to ensure they are addressing security in a way that aligns with the U.S. Government.? However, instead of blindly following all 640+ security controls found in the NIST 800-53 (or ITSG-33), the CSF calls out COBIT, ISO 27001 and NIST as Informative References that can be used to meet a control and its subcategories of control objectives.? This can relieve the company from implementing yet another series of control checks while leveraging what they already have in place.
Now here?s the awesome part.? There?s already training that exists to train your security management and implement the Cyber Security Framework.? ISACA created the CSX Practitioner series of courses and an accompanying certification to address the needs of companies in the critical infrastructure space.? You can find out more information about the CSF, the CSX courses and next scheduled dates here.