Remember when the President signed the Critical Infrastructure Executive Order a few months ago? Essentially, the order directed the federal government to focus its considerable resources on cybersecurity threats to our core oil, electric, and transportation systems. It turns out that a good part of the government’s program involves sharing both classified threat information and technical advice with owners and operators of critical infrastructure.
On that latter point, the US’s leading technical and scientific standards organization, NIST, recently rolled out an update to its long-standing security standards guidelines for federal agencies. Motivated by the executive order, NIST has asked agencies and critical infrastructure players to consider, what it calls, a “Build It Right” approach to data security.
Befitting a government document on cybersecurity, NIST’s Security and Privacy Controls for Federal Information Systems and Organizations is over 400 pages and covers 18 basic security controls, each coded with a two-letter identifier—from Access Controls (AC) to Program Management (PM). Anyway, if I can summarize NIST’s “Build It Right” philosophy in one word, it is “monitoring”. In fact, a quick query of the PDF reveals that monitoring shows up over 300 times.
NIST is a strong believer in continuous monitoring, which is an important part of its baseline security controls. So if you look through specific controls, say Access, you’ll spot references to monitoring of user accounts for unusual activity, and monitoring of remote access for unauthorized connections. The M word shows up often in the other 17 controls.
According to NIST Fellow Ron Ross, monitoring gives decisions makers “near real-time information” to respond to cyber attacks. It’s really a way of saying that no matter how good your frontline security is, you’ll need to monitor preventive controls to make sure they’re not changed incorrectly, and monitor activity to spot the attacks that fall through the safeguards.
Monitoring activities in complex systems is, of course, a perfectly respectable approach for companies outside of the world of oil refineries and hydroelectric dams. We recently published the results of a survey conducted to learn how prepared companies are in detecting data security incidents in real-time.
The results show there’s much room for improvement—a mere 6% have true real-time capabilities to spot breaches in progress. The rest have varying levels of notification technologies, and an eye-brow raising 24% have absolutely no alerts in place.
I won’t try to guess how critical infrastructure operators would perform in our survey—we hope it’s better than 6%. The key point, though, is that the US government recognizes that monitoring technology is an essential part of our national defense against cyber attacks.
We’ll have more to say on this in the coming months.