Protecting Critical Infrastructure: A Global Perspective
Repeated cybersecurity events against critical infrastructure components have caused nations to realize the importance of securing these environments. However, not all countries have taken a rigorous stance.
In Australia, for example, both the public and private sectors fully agree that a real and present danger targeting critical infrastructure lurks in cyberspace. The emergence of weapons-grade malware, such as Shamoon, Flame and Stuxnet, proves that cyberwarfare is alive and well today. However, the nation does not have a completely defined government mandate for cybersecurity in critical infrastructure due to blurred lines between federal responsibilities and obligations. Australia also has not yet established a national governing entity to watch over cybersecurity across all industry verticals.
In the United States, the national focus on protecting infrastructure is more robust, due partially to an Executive Order and Presidential Policy Directive that President Barack Obama signed in February. The order and the directive provide common direction and mandate commonality among the industries that comprise critical infrastructure. The nation should soon have cross-departmental cyberthreat reports, procedures established to expand its Enhanced Cybersecurity Services Program, and new incentives that will convince companies and industries to invest in cybersecurity safeguards. Following that, the United States should have risk-based identification of the most at-risk critical infrastructure and, by next year, a standard framework for securing critical infrastructure.
The Qatari government has taken an expeditious approach following cyberattacks on Aramco in Saudi Arabia and RasGas in Qatar. This nation has established a critical infrastructure security standard and accompanying law. The National Standards for Security of Critical Industrial Automation and Control Systems guidelines take into consideration the controls from a dozen cybersecurity standards from around the globe. Summarized in a publicly available document, the guidelines serve as a reference by the Qatari Critical Information Infrastructure Protection law.
These three nations represent a fair sampling of the current state of critical infrastructure protection worldwide. Ranging from recognition of a need, with a limited governance capability yet to be established, to emerging standards and laws, to standards and laws that are perceived complete and ready to enforce, the one common thread tying together these “states of cybersecurity readiness” is the underlying principle that cybersecurity is not an end state. Rather, cybersecurity is an evolving journey that will continue into the foreseeable future.
This post was co-authored by Edward Liebig, CSC’s global chief technology officer for Cybersecurity Consulting.