CYBERSECURITY American Approach to Critical Infrastructure Cybersecurity early feedback indicates that it is helping take the national dialog about cybersecurity to a new level which increases awareness and helps address this fast evolving problem set. C ybersecurity has made it to living rooms and kitchen tables worldwide. Governments and policy makers globally are engaging in a serious debate about how much to regulate, what should be voluntary, and which industries should be subjected to whatever “it” is. Pervasiveness of information technology throughout global critical infrastructures creates a sometimes uncomfortable reality. In many countries over 80% of critical infrastructure including electricity, water, gas, and telecommunications is owned and operated by private entities. Governments rely on this privately-owned critical infrastructure to support basic functions including defence, emergency services, law enforcement, intelligence, tax collection, and so on. Possible governmental approaches to cybersecurity vary from voluntary and objective-oriented to mandatory and prescriptive. In reality most governments are somewhere in the middle of this continuum. The United States adopted a voluntary approach because it allows the industry to deploy the best possible solutions while continually supporting innovation. The nation has invested substantial resources into developing and implementing this voluntary approach that includes participation from government agencies, regulators, critical infrastructure owners and operators, suppliers of critical infrastructure services and components, academia, trade associations, and other stakeholders in keeping the interconnected world up and running. The road is challenging but 24 How it all began February 12, 2013 President Obama issued Executive Order (EO) 13636 1 entitled Improving Critical Infrastructure Cybersecurity. The EO directed the National Institute of Standards and Technology (NIST) to develop a voluntary cybersecurity framework that would apply across the critical infrastructure sectors. The Framework would be “prioritized, repeatable, performance-based, and cost- effective including security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk.” The Framework was to be developed in collaboration with industry and was required to incorporate voluntary industry standards and best practices, as well as be consistent with the voluntary international standards when appropriate. NIST was also required to review the Framework annually and revise it based on evolving risks, standards and best practices. This was an incredibly ambitious undertaking that required a careful and balanced approach to ensure appropriate industry engagement that allowed all interested parties to participate while developing a useful product that could be released within one year. The EO also required an annual review of the Framework. NIST led this critical initiative by issuing a series of Requests for Information (RFI), conducting workshops, publishing drafts for public comment, and tireless meetings with the industry. A broad variety of critical infrastructure owners/operators participated in the process. The Final Framework was published February 12, 2014 2 . On the same date, NIST also published a Roadmap 3 which articulated areas for further development or standardization including: authentication, automated indicator sharing, supply chain and conformity assessment, cybersecurity workforce, standards supporting the Framework, and privacy methodology. Implementing the Framework is entirely voluntary; it is intended to help organizations large and small to implement cybersecurity practices based on each one’s risk profile, resources, and aspirations for implementing cybersecurity practices. Following the publication of the Framework the sixteen critical infrastructure sectors set out to figure out how the Framework may need to be customized to their specific needs and to develop sector-specific Framework guidelines. Tailoring the Framework to Critical Infrastructure Sectors The Energy Sector was first out the gate with the Department of Energy (DoE) recommending the use of the Cybersecurity Capability Maturity Model (C2M2) 4 to implement the Framework on the same day as the Framework itself was released. Following that, the Energy Sector developed an Energy Sector Cybersecurity Framework Implementation Guidance document 5 . This document further tailored the Framework to Energy Sector needs and provided guidelines on how to apply C2M2 to the Framework. The final document was released in January and has been well received by US utilities. The Communications Sector is in the process of developing its own guidelines document which will be finalized in March 2015. Overview of the Framework – a Risk-Based Approach to Cybersecurity The NIST Framework workshops that collected initial feedback, brainstormed the Framework, confirmed initial ideas, and reviewed drafts have permanently changed the national discourse about cybersecurity. Several METERING INTERNATIONAL ISSUE – 6 1 | 2014 2015