As the world weathers the COVID-19 virus pandemic, we are faced with posturing for such and protecting / helping ourselves, family, friends, co-workers and members of our greater communities; but a procrastination of sorts -- coupled with a distrust / disbelief that this will impact me (downplaying the magnitude of such) and not knowing what we don’t know, exponentially raises the risk of infection and serious health consequences coming to bear.
This too, unfortunately, can be somewhat a parallel posture for our enterprises’ cybersecurity and system security risk management and risk mitigation preparation. Currently, the Mitre Corporation identifies 94 cyber threat groups poised to wreak havoc on the business community. Are we prepared for this, just like we are prepared for COVID-19?
As enterprises may be relatively flat or conversely comprised of many lower system or organizational units, the complexity of rolling up cybersecurity and system security measures can present vulnerabilities and challenges to the enterprise no matter the size. The National Institute of Standards and Technology (NIST) has issued an interagency / internal draft report titled “Integrating Cybersecurity and Enterprise Risk Management (ERM)” to focus on the use of risk registers to set out cybersecurity risk, explaining the value of rolling up measures of risk usually addressed at lower system and organization levels to the broader enterprise level.
To assist in developing a good cybersecurity posture, NIST has a Cybersecurity Framework which may be utilized for this purpose and is titled “Framework for Improving Critical Infrastructure Cybersecurity - version 1.1” The Framework Core provides a set of activities to achieve specific cybersecurity outcomes, and references examples of guidance to achieve those outcomes. The Framework Core consists of five (5) concurrent and continuous Functions: Identify, Protect, Detect, Respond and Recover.
Manufacturing, as a business sector, may represent a profile to which NIST’s Cybersecurity Framework can speak more directly to; thus, NIST has created the “NISTIR 8183 Cybersecurity Framework Manufacturing Profile”
To go even a step further in developing your cybersecurity and system security posture, NIST has Special Publication 800-171 Rev. 2 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations." Even though your enterprise may not handle or create “Controlled Unclassified Information” – a specific term used for Federal government information, your enterprise surely creates and possesses intellectual property (IP) for which all measures need to be taken to protect such and mitigate the risk of a cyber or system related incident. NIST SP 800-171 provides a framework of 110 security controls for assessing system security; and for ease of use, the security requirements are organized into fourteen families. Each family contains the requirements related to the general security topic of the specific family. Again, this is a tool to use to assesses and build a good cybersecurity and system security posture. As for comparing the NIST Cybersecurity Framework to the SP 800-171 security controls, NIST provides an MS Excel file which provides a mapping of the Cybersecurity Framework to the various SP 800-171 security controls. As each had a different intended strategic purpose in mind, they can work in concert to assist you in improving your cybersecurity and system security posture.
As we learn how to mitigate the risks associated with the COVID-19 spread, let us also turn our attention to, and with a great concerted effort, to mitigate the risk associated with our cyber and system security. The virus is out there and among all of us in the form of some really bad actors (reference MITRE). Build / bolster (as it is a dynamic process) your cyber and system security posture now. Ensure there is a deep commitment to dynamic / on-going cyber and system security assessment, appropriate policies / procedures are in place, and system security plans along with a plan of action with milestones (for those security controls needed, but are not currently being met) and incident response planning is all in place and part of the cyber risk mitigation and resiliency practice.
Pleases stay safe and healthy in weathering the COVID-19 pandemic; and use this experience to reflect and give good measure to your enterprises’ cybersecurity and system security posture. IMEC is ready to help you Plan – Implement – Excel when it comes to your cyber and system security needs, and stands poised with the National Manufacturing Extension Partnership (MEP) Network and security partners to bring awareness and practical solutions to meet your cybersecurity and system security needs.
Contact the Illinois Manufacturing Helpline and get your concerns and questions addressed quickly by industry experts!