Improving Critical Infrastructure Cybersecurity
ثبت نشده
چکیده
VeriSign, Inc. operates several of the world’s largest and most important DNS Registries (.com, .net, .gov, and more). Because of this operational role that we fulfill, we continually strive to foster and ensure the security and stability of the global Internet [10]. In this vein, we applaud the National Institute of Standards and Technology’s (NIST’s) request for information: NIST Docket Number 130208119-3119-01 [9]. The nature of many of the cyber threats that we frequently observe is that they often orchestrate compromises by exercising previously unseen (or undocumented) vulnerabilities. By contrast, compliance checks, such as those mandated by [5, 6, 1, 4, 8, 7, 2, 3], are necessarily focused on previously observed threats and practices that are derived from analyses of these threats. While these compliance checks are very important, they consume the majority of time and expenditures of many Information Security (INFOSEC) teams. As new (and previously unseen) threats emerge, detecting and quantifying them is increasingly done through intelligence gathering and information sharing [15, 13, 14, 11]. Moreover, a recent report [10] outlined that even the seemingly straightforward alteration of adding new global Top Level Domains (gTLDs) to the DNS can prompt a great many systemic interdependencies that may require more “interdisciplinary” attention. As adversaries and attackers evolve their tactics, there is a growing gap created between Intelligence Driven Security (IDS) [12, 16, 15, 13] and Compliance Driven Security (CDS) [5, 6, 1, 4, 8, 7, 2, 3] models. We believe that CDS is an important component of the overall security posture needed for cyber infrastructure, but we also feel that it should not be mistaken for a solution to the cybersecurity threats of today, and many of new cyber threats that may be emerging. As stated in [9], the nation’s security and economic stability is affected by the security of its critical infrastructure, and the overall infrastructure has an increasingly prevalent dependence on its cyber critical infrastructure. As a result, we feel it behooves critical infrastructure providers to understand any gaps that may exist between their CDS postures and the current “threatscape.” A critical inspection of such gaps, perhaps, could identify would-be requirements that might be imposed on critical infrastructure and providers. The process, however, to designate the specific Internet elements and providers as “critical infrastructure” is not widely known. Further, the ramifications arising from such a designation have not been identified. For example, if a private corporate entity is classified as critical infrastructure, is it required to implement additional security controls? What impact might that have on it? In addition, such a classification makes the issue of transitivity unclear. For example, if a system is classified as critical infrastructure, does that mean that all systems that it depends upon are also deemed to be critical? If so, what are the pros and cons of this approach? Further, it is not clear if the list of those entities that are classified as critical infrastructure will be made public, or if not, within what specific non-public groups would such a list be shared. As a large service provider, we (again) applaud NIST’s efforts to understand the issues outlined in [9]. With the size of the gap between IDS and CDS being as unclear as it currently is, and the size of this gap being a function of the evolving threatscape, we feel that creating a framework to track and describe emerging threats would be a very useful first-step. It is our belief that a structured vehicle that could facilitate providers’ abilities to continually quantify the gaps between CDS and IDS, and which could inform information sharing efforts, would be invaluable in shaping future security frameworks and practices. Such a vehicle might take the form of a threat taxonomy, information sharing primitives, or other semantics that help enable the heterogeneous needs of IDS models.
منابع مشابه
1 Risk Management and the Cybersecurity of the U . S . Government
Risk management is a fundamental principle of cybersecurity. It is the basis of the NIST Framework for Improving Critical Infrastructure Cybersecurity. Agencies of the U.S. Government certify the operational security of their information systems against the requirements of the FISMA Risk Management Framework (RMF). The alternative to risk management would presumably be a quest for total securit...
متن کاملCybersecurity and Critical Infrastructure Protection
Cybersecurity entails the safeguarding of computer networks and the information they contain from penetration and from malicious damage or disruption. Since the use of computer networks has become a major element in governmental and business activities, tampering with these networks can have serious consequences for agencies, firms and individuals. The question is to what degree these individua...
متن کاملDSCI comments on Developing a Framework to Improve Critical Infrastructure Cybersecurity A NASSCOM® Initiative
متن کامل
Implementing the Federal Cybersecurity R&D Strategy
Today our Nation's security, economic progress, and modern lifestyle all rely upon maintaining a trustworthy digital infrastructure that is resilient and responsive to threats. Critical life-sustaining infrastructures—such as the ones that deliver electricity and water, control air traffic, and support our financial system—all depend on networked information systems making up the Nation's cyber...
متن کاملEconomic Impacts of Rules-based versus Risk-based Cybersecurity Regulations in Critical Infrastructure Providers (Bulk Electricity Providers)i
Policy makers are currently proposing new regulatory mechanisms to enhance the security of critical national infrastructure operators. The key question in this scenario is which is the right way to regulate the cybersecurity of critical infrastructure operators in charge of electricity transmission? Should optimal cybersecurity regulation follow a US style, mostly ‘rules-based’ model, or the Eu...
متن کاملGAO-05-434 Critical Infrastructure Protection: Department of Homeland Security Faces Challenges in Fulfilling Cybersecurity Responsibilities
To view the full product, including the scope and methodology, click on the link above. For more information, contact David Powner at (202) 512-9286 or [email protected]. As the focal point for critical infrastructure protection (CIP), the Department of Homeland Security (DHS) has many cybersecurity-related roles and responsibilities that we identified in law and policy (see table below for 13 ke...
متن کامل