power plant

8 areas for improvement in securing critical infrastructure

When the Preliminary Cybersecurity Framework for critical infrastructure is released in February it will look “very much” like the draft version released this month, said National Institute of Standards and Technology director Patrick Gallagher.


NIST releases critical infrastructure security plan

A voluntary framework for improving cybersecurity of critical infrastructure is released for comment prior to formal release in February. Based in part on federal standards, it could change the way government regulates industry and procures services. Read more.

That does not mean the framework is carved in stone, however. Gallagher said it will be a living document and will evolve to address new threats and business needs.

An entire section of the document, Appendix C, addresses “Areas for Improvement.” IT risk management is a less mature practice than other forms of security, and not all needed standards and best practices have been identified or created. Input from government, industry and academia during development of the framework have identified gaps to be addressed in future iterations.

“These initial Areas for Improvement provide a roadmap for stakeholder collaboration and cooperation” in developing new or revised standards, the framework says.

Initial areas for improvement are:

Authentication. Ensuring the identity of those accessing resources and services is a challenge in any online activity. Developing authentication schemes that are secure while remaining manageable and scalable can be daunting. “While new solutions continue to emerge, there is only a partial framework of standards to promote security and interoperability,” the framework says. Usability is a significant challenge for many control systems.

Automated indicator sharing. Information sharing is essential in securing entire industry sectors, but there is little standardization in how this is done across and between organizational boundaries.

Conformity assessment. Organizations need standardized ways to assess their level of compliance with standards that will breed confidence while being cost-effective.

Cybersecurity workforce. Even with the use of automated tools, a skilled workforce is needed to manage and protect critical infrastructure. The shortage of qualified cybersecurity experts is well known, but the shortage of those with an understanding of the unique needs of critical infrastructure is even greater. The industry needs to better understand these specific needs and to recruit and train workers.

Data analytics. Big data and the analytic capabilities of cloud, mobile and social computing offer both opportunities and challenges in analyzing cybersecurity data. Taxonomies, tools and metrics need to be developed.

International aspects, impacts and alignment. U.S. infrastructure does not operate in a vacuum, and standards, practices and expectations need to be adopted globally.

Privacy standards. Privacy and civil liberties are relatively immature areas of the framework and will get additional attention going forward. Fair Information Practice Principles offer a set of guidelines for mitigating privacy impacts, but there is a lack of standardization and metrics for implementing them.

Supply chain risk management. Organizations continue to struggle to identify risk in the supply chain and prioritize actions in addressing it.

About the Author

William Jackson is a Maryland-based freelance writer.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/Shutterstock.com)

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected