The U.S. government launched a new cybersecurity effort to meet the requirements of the nation’s critical infrastructure. The new Systemic Cyber Risk Reduction Venture is in partnership with the Cybersecurity and Infrastructure Security Agency’s (CISA) National Risk Management Center (NRMC), and aims to meet the need to reduce cyber risk for national security and economic resilience.
Aligning with government and industry partners, the NRMC cybersecurity effort will bring in analytic capability for enterprises to quantify cyber risk impact for cybersecurity measures in place, so as to develop actionable metrics and use this information to reduce shared risk to the nation’s security and economic security.
The NRMC cybersecurity effort leads the nation’s effort for secure and resilient critical infrastructure across 16 key sectors, including communications, energy, transportation, and water. With most of the critical infrastructure owned by the private sector, managing risk is a priority shared by industry and government. Through collaborative efforts with the private sector, government agencies, and other key stakeholders, the NRMC uses a dynamic, cross-sector risk management process to identify, analyze, prioritize, and manage both cyber and physical risks to these important national functions.
The security agency aims to reduce systemic cyber risk by finding concentrated sources of risk that, if mitigated, provide enterprises with cost benefits for heightened risk management, and manage critical risks to the nation’s security. To achieve this, CISA established three lines of effort, including building the underlying architecture for cyber risk analysis to critical infrastructure, developing cyber risk metric, and promoting tools to address concentrated sources of cyber risk.
The convergence of IT and operational technology (OT) platforms have brought about digital transformation, allowing organizations to improve operations by increasingly linking operations and infrastructure to digital architecture. Real-time insights, game-changing efficiencies, better customer service are a few benefits. However, with the hyper-connected environment of IT and OT and its usage becoming more complex, especially with the advent of 5G and Internet of Things (IoT), so are the prevalence of cyber risks.
Recent incidents such as the SolarWinds Orion cyber campaign, ransomware impacting schools, or data exfiltration compromising Americans’ sensitive information emphasize the cascading impact of cyber risks on daily lives and to National Critical Functions (NCFs). Cyber risks cannot be managed in silos, fragmented among specific individuals or departments responsible for a piece of an organization’s risks with little or no cross interaction.
NCFs include those functions of government and the private sector so vital to the U.S. that their disruption, corruption, or dysfunction would have a debilitating effect on security. The NRMC cybersecurity effort brings the private sector, government agencies, and other stakeholders together to identify, analyze, prioritize, and manage significant risks to these important functions.
By leveraging data from entities within and outside their circle, organizations can fully realize the possible extent of their vulnerabilities (if exploited), such as to other sectors or industries, identify clusters of common vulnerabilities and drivers of risk, and evaluate investments in cyber controls to holistically and collectively manage these risks.
The NCFs allows for a more robust prioritization of critical infrastructure and a more systematic approach to corresponding risk management activity. They represent an evolution to the critical infrastructure risk management framework established in the National Infrastructure Protection Plan. While the previous approach focused almost entirely on entity level risk management as opposed to critical outcomes, the NCF approach enables a richer understanding of how entities come together to produce critical functions, and what assets, systems, networks, and technologies underpin those functions.
To build the underlying architecture for cyber risk analysis to critical infrastructure, CISA will leverage the NCF’s Risk Architecture to understand how entities come together to produce critical functions, and what assets, systems, networks and technologies underpin those functions. A granular understanding of the provisioning of an NCF will allow CISA to measure cyber risk at a national level in terms of functional consequence to critical infrastructure.
Organizations are constantly investing in security measures and some are attempting to quantify the cost benefit of certain security controls. CISA will bring together various stakeholders to discuss how to use existing efforts to connect the relationship between threat, vulnerabilities, and consequence on critical functions, and to develop metrics that quantify cyber risk in terms of functional loss with more precision than before.
Central to CISA’s venture to reduce systemic cyber risk is finding concentrated sources of risk that, if mitigated, provide heightened risk management and cost benefits. In the critical infrastructure community underpinned by a dependent web of hardware, software, services, and other connected componentry that cyber risk creates an opportunity for cascading or correlated impact to NCFs.
Additionally, cybersecurity threat actors are not constrained by geographic boundaries. For example, the ubiquity of coding flaws across connected systems can open up millions of IoT devices across numerous sectors and industries to be remotely exploited.
CISA has over the last two years worked through a public-private Information and Communications Technology (ICT) Supply Chain Risk Management Task Force to identify supply chain threats, including those derived from software and develop guidance and tools to help ICT companies and their customers, including the federal government, reduce risk from software supply chains.