January 15, 2024 | Cybersecurity
Critical National Infrastructure is a National Security Issue that requires public and private infrastructure operators to collaborate at a National Level to meet the National Security Objectives, regardless of where the infrastructure function operates. In developing a Critical Infrastructure cybersecurity resilience and protection program, which forms part of the National Resilience framework, the governance aspect consisting of legislation, regulation, and the establishment of an oversight body is the basis upon which a critical infrastructure national cybersecurity program is put in place. The governance challenge comes from trying to promulgate the program from the oversight body down to the individual organizations such that a consistent approach is supported by all participating organizations to achieve compliance with the legislation and the regulations.
Organizations have limited budgets and implementing the legislated requirements can be arduous and expensive. Critical Infrastructure Resilience approaches must be implemented cost-effectively, for them to be successful. Critical Infrastructure operators have limited budgets for cybersecurity measures and resilience requirements, let alone for operations designated Critical National Infrastructure.
Effective Critical Infrastructure Resilience is achieved through skillful engineering of cybersecurity and resilience solutions through the establishment of a predictable and repeatable process that leverages risk management techniques and achieves cost-effective outcomes.
Operators have the skills to operate technical cybersecurity protection measures, but they typically lack the system consisting of policies, processes, and procedures necessary for a predictable and repeatable operation that leverages risk management techniques and achieves the desired cost efficiencies.
The ideal place to start the implementation of a Critical Infrastructure cybersecurity resilience and protection program is one or more of the NIST and ISO cybersecurity and resilience standards that are currently available. The implementation of these standards is always challenging when constrained by the seemingly opposing forces of financial restrictions and maximum protection and resilience. To achieve a suitable level of critical infrastructure cybersecurity resilience, organizations must not only have this cybersecurity and resilience system in place, but they must also perform the day-to-day activities defined in the policies, processes, and procedures for the system to come to life.
Most legislated requirements require that a risk-based approach be followed. Although NIST and ISO provide guidance documents for the implementation and operation of risk management systems, the guidance provided is not sufficient for most organizations to implement an effective risk management approach, that is measurable and repeatable. Studies have shown that risk-driven cybersecurity and resilience methods result in protection measures that are more cost-effective and offer greater protection than taking a technology-first, focused approach.
The NIST and ISO standards provide advice to consider when implementing a system, whereby the cybersecurity and resilience system must be tailored to the organization and be cognizant of its size, stakeholder needs and expectations, the available budget, the available resources, the criticality and vulnerability of its assets, the type of threats that it will face, and so on.
NEOS delivers on capacity building by delivering training, and implementation support the implementation of cybersecurity management frameworks based on the NIST Cybersecurity Framework and ISO27001:2022 Information Security and ISO22301 Business Continuity standards.