Each infrastructure is critical to someone. Go ahead: ask a CIO if they are in charge of something other than “critical infrastructure” and see what they say. In fact, the increasing criticality of all aspects of infrastructure underlies all our assumptions about security and privacy.
This article is the first in a series where I will take a close look at the Framework for Improving Critical Infrastructure Cybersecurity which NIST first published in February of 2014. In challenging and reframing some of the assumptions in the document, I hope I can be forgiven for completely ignoring the idea that there might be “non-critical” infrastructure that would not be in scope. The document’s own statement for its importance, its preamble, is somewhat narrow and misleading:
“The national and economic security of the United States depends on the reliable functioning of critical infrastructure. Cybersecurity threats exploit the increased complexity and connectivity of critical infrastructure systems, placing the Nation’s security, economy, and public safety and health at risk. Similar to financial and reputational risk, cybersecurity risk affects a company’s bottom line. It can drive up costs and impact revenue. It can harm an organization’s ability to innovate and to gain and maintain customers.” (page 1).
The impact statement is undeniable. Bad things can happen if we get hacked and stuff gets compromised. The statement is misleading because it insists on convenient buckets in which to put things. The folks at NIST are, to a large degree, taxonomists and like Linnaeus before them, that approach has strengths (as we will see later in the series) and weaknesses (as we will see below).
The most apparent flaw in the above is the distinguishing between cybersecurity, financial and reputational risks. For any given control and the risk it mitigates, we can identify which of those three are primary, but taken at the macro level, these three risks are inseparable.
If cybersecurity risk “can drive up costs and impact revenue” then how do we separate it from financial risk?
If cybersecurity risk can negatively impact an organization’s ability to “gain and maintain customers” then surely it impacts reputation risk.
And, conversely, companies at increased financial and/or reputational risk may invest too little in cybersecurity and/or be too desperate to take the time to make sure things are secure. So what may seem like three distinct risks, is really just three aspects of Enterprise risk.
That, however, is not that most misleading thing in the preamble.
Consider the statement “increased complexity and connectivity of critical infrastructure systems.” While we can all agree that the world of systems is getting more crowded, one could argue that mobile apps are simpler than many enterprise applications. So to the extent that more and more is being done with mobile apps, maybe things are getting simpler.
And while the A.I. folk ponder when a machine will develop consciousness (machines as beings), the rest of us might be more immediately worried about when will absolutely every object in the world (living beings included) have an IP address (humans as endpoints).
Those IP addresses and the internet itself aside, most of us in security are as worried about the devices we are not connected to, i.e., the ones we do not control, as the increased connectivity of the world.
The statement that there is “increased complexity and connectivity of critical infrastructure systems” is not incorrect, but it is only correct when you take the narrow view of “critical infrastructure.” Once you expand it to the on-line world that is evolving, a different picture emerges.
The world’s infrastructure is becoming more crowded with simple applications and while there is increasing general connectivity, the real aspect that is making the connectivity complex is not messaging and networks. It is data.
Data is the knowledge a system has of the context it is running in. It does not rely on direct connectivity (or, often, any at all) at a physical or network level. In fact, even for connected devices, the more an attacker knows about the infrastructure (the more data they have) the more likely their attacks will succeed.
This is not a new idea, but it sometimes gets lost in all the focus on “connectivity.” So, what follows will be a data-centric view of the Framework for Improving Critical Infrastructure Cybersecurity. In doing so, I will try to show that while this document is not classified as one of NIST’s “Special Publications” (SP 800-x), it might be the most special of them all.