APQC recently spoke with Ed Perkins, the developer of the Certified Enterprise Risk Manager® - Cyber Security™ certificate, about the current state of cybersecurity and the introduction of the U.S. National Institute of Standards and Technology (NIST) Cybersecurity Framework. This post presents the first half of the interview, in which Perkins describes the cybersecurity landscape and introduces the NIST framework.

View the slides from the webinar here.

Cyber threats have the ability to be quite disruptive to supply chains. In your experience, how are organizations managing this potential risk?  

First, it may be helpful to explain several IT threats to the supply chain: 

• software with some form of malware, 
• data theft, 
• cyber terrorism from state sponsors, 
• counterfeit hardware, and 
• hardware with attached malware.  

There is an entire industry of security programs, devices, best practices, etc. developed to address cyber risks. Unfortunately, most of this is “bolted on” rather than having security “built-in.” This means that everyone from global corporations to individuals purchasing a PC or software is vulnerable to attacks.  Since all information (such as personal, health care, financial, and other information) is digitized, then all of us will need to become cybersecurity experts. This means that organizations and all of us will have a higher standard of vigilance and due care to ensure that systems have not been compromised. 

The organizational culture needs to understand the risk level and act accordingly. This is hard, as it is not always obvious to someone that their PC or mobile device could be that important to be attacked. This is ever more important in the Internet of Everything.  When everything is becoming interconnected, if things are not properly segregated and controlled, you can have holes through which attacks can be perpetrated. 

Look at Target and Sony. Target was compliant with the PCI Data Security Standard but that was not enough; the attacks came in via a vendor connected to its network. It had a detection system, which caught the attack, but as it was new, they disregarded it. Sony did not have in-depth defense (or segregation of data); once they got in the hackers were able to access and download everything, including emails.

How has the cybersecurity landscape changed in the past 5 years? How do you see it changing in the next 5 years?

Over the past 5 years, we have seen increasingly sophisticated cyber attacks. We used to have to worry about email and attachments and visiting malicious web sites. Now we see advanced persistent threats, malware, botnets, and data breaches. We also see actions by nation states, such as North Korea supposedly going after Sony in retaliation for a satirical movie. There are also attacks on industrial control systems, which support most of our critical infrastructure (such as power plants, water, transportation, etc.).  

The U.S. director of national intelligence says cyber attack is the top threat to U.S. national security, ahead of terrorism. With mobile devices and the Internet of Things, if these things don’t become more secure than our current systems we will see even more headlines. One thing that won’t change is the need for the organizational capability to assess, protect, and defend against cybersecurity risks.

Over the next five years as more devices have IP addresses and are connected to the Internet of Everything, such as digital watches and digital toasters, the number of threats will increase exponentially.

What is the NIST framework? 

The increasing cyber threats mentioned previously will also necessitate an equivalent increase in monitoring (assurance) and risk management (threat mitigation).

In response to the increasingly sophisticated cybersecurity risks facing the nation, the president issued Presidential Executive Order (PEO) 13636, “Improving Critical Infrastructure Cybersecurity,” on February 12, 2013, which directed NIST to develop “a framework to reduce cyber risks to critical infrastructure” and gave it one year to do it.

NIST has had responsibility for government cybersecurity standards and practices under FISMA (Federal Information Security Management Act) since 2002. NIST followed an “open” process to develop the Cybersecurity Framework. NIST’s Information Technology Laboratory collaborated with stakeholders from government, industry, and academia, which included having a public review and comment process and conducting several workshops.

The resulting Framework released in February 2014. It was based on the use of risk management principles for cybersecurity and is commonly referred to as the Cybersecurity Framework or CSF. The purpose of the CSF is to raise the level of cybersecurity protection and capability for critical infrastructures and key resources in the United States, both in the government and private sectors. The CSF describes a process and a structure for developing a risk-based cybersecurity system. 

We believe that the CSF will become the new minimum standard of due care for organizations having to address supply chain cybersecurity risks.