Tranquility: The Unrecognized Asset in Critical Infrastructure Security
In 2015, a Chicago woman named Nancy Carlson won a white bag for $995 during an online auction being hosted by the federal government. On the bag were emblazoned the words: Lunar Sample Return. After receiving it in the mail, Nancy found several rocks and a fine powder still inside the bag. Wanting to know what she had on her hands, she sent the bag and its contents to be analyzed. It turned out the specimens inside were actually from the Sea of Tranquility.
The Sea of Tranquility is, of course, located on the moon. In outer space.
Even wilder, Nancy eventually learned that the bag had been used by Neil Armstrong and Buzz Aldrin during the very first lunar landing back in 1969 – the bag was literally a national treasure. NASA sued, hoping to get their bag back, but a judge ruled in favor of Nancy and her incredible stroke of luck.
Knowledge is Power (and Security)
When talking about security amongst critical infrastructure companies, two immediate lessons spring to mind while reading a story like Nancy Carlson’s.
The first is that without the right expertise, you may not know the true value or risk of your current security system. It might be moon dust or it might be backyard dirt. It takes a learned assessment with the highest standards to definitively gauge something’s value. This is the role of a security framework. Sometimes security frameworks are thrust upon you by a regulator, but in the best of situations, the most proactive firms go looking for a framework that suits their security goals.
The second lesson, and perhaps the most painful, is that without the right watchful eye, significant and irreplaceable material might be carelessly and needlessly lost. All it takes is a minor distraction or hole in a system to find yourself in a publicly humiliating position. Your invaluable tranquility is literally out the window. When other people’s safety and information are at stake, vigilance should never have the day off. This is the role of the Integrator.
Among all of the places where security integration must take place, critical infrastucture is by its very nature the most tenuous. A network of regulators and the high risk game of providing power, resources and technology to literally every human across the country.
When we include regulators into the conversation, the added pressure and need for clarity on critical infrastructure companies becomes even more intense. A conversation with a regulator or regulatory body is a bad time to find out that your system is deficient in some way. The primary way to know how good your security is and will remain is to consult a true security framework and have an integrator who is knowledgeable interpret the results, implement any needed changes or improvements, and keep a watchful eye on the health of the security system.
The Power of CIP
While the NIST framework may be the most familiar and the most far-reaching, the CIP (Critical Infrastucture Protection) has much to bring to the table for critical infrastucture companies of all shapes and sizes. Designed in 2008 to help secure and regulate the Bulk Electric System in the United States, CIP became the industry standard for evaluating multiple facets of a cybersecurity system. With a nationally renowned suite of assessment tools and a dedication to the highest of security protocols, CIP is an indispensable tool for testing the security of any critical infrastructure’s given system.
While other frameworks offer the “what”, CIP offers the “how”, giving security leaders and integrators a way to upgrade their existing operations and technology.
As with any security framework, CIP is only as helpful as the integrator who can then suggest and implement the needed improvement to make the system stronger and more secure. For a skilled integrator, the CIP framework might reveal a need for critical overhaul of the physical security of an asset, or the development of a contingency plan and reporting protocols in the event of a cyber intrusion. Or it could culminate in the refinement of endpoint solutions in order to prevent unauthorized access to systems information.
Whatever the results, the integrator’s knowledge and expertise can customize the CIP guidance for non-Bulk Electric CI companies. CIP gives large enterprises a toolkit for engaging their regulator and possibly influencing future guidance with their advanced perspective.
Exceeding the Status Quo
The truth is that any security framework is better than no framework. The benefits of exceeding the status quo should be obvious: increased risk management, a proven framework for results, a roadmap for regulator engagement. NIST gives you a beginning, but CIP can actually transform the results when engaged thoughtfully and with the right partners
When it comes to your organization, be it the security for your employees, your customers and clients, their information, or the resources they use, you should never have to guess or wonder how effective your critical infrastructure’s security system is. You want to keep those under your protection in a sea of tranquility if you will. And a well-designed and maintained cybersecurity system can do just that.
NASA didn’t know what it didn’t know and an irreplaceable asset slipped through their fingers. Critical infrastructure firms have the tools to protect from the same thing happening to them.
CIP can help. And SAGE can, too.
To speak with our critical infrastructure security specialist or to discover how our CI clients are passing audit after audit, contact us below.