ThorstenSchmitt - Fotolia


Critical infrastructure compliance benefits from situational awareness

For critical infrastructure, a combination of situational awareness and compliance could be the best approach to industrial control system security.

Situational awareness is defined by the United States Army Field Manual as "knowledge and understanding of the current situation which promotes timely, relevant and accurate assessment of friendly, enemy and other operations within the battle space in order to facilitate decision making."

But situational awareness is not just for the armed forces: Companies within the critical infrastructure sector can and should improve protection of industrial control systems by helping their staffs develop situational awareness.

Developing situational awareness can be a challenge for staffs that manage industrial control systems within critical infrastructures, however. Modern critical infrastructures such as utility systems are very complex, and constantly changing cybersecurity variables and evolving threats exponentially outpace many industrial control system technologies.

The key to combatting these challenges is continual training around compliance rules and policies, in particular around supervisory control and data acquisition (SCADA) systems. SCADA systems enable command and control of critical infrastructure processes that use industrial control systems such as water treatment and distribution, wastewater collection and treatment, oil and gas pipelines, electrical power transmission and distribution, healthcare, civil defense siren systems, financial services, transportation and large communication systems.

To increase situational and cyber awareness for SCADA systems, you should focus on training staff on password security, operation and functionality of front panel buttons, programming and re-programming, remote communication equipment and using devices such as Bluetooth.

Companies in the critical infrastructure sector need to take compliance training seriously. In fact, certain federal compliance training requirements should be made mandatory as a condition of employment for all personnel, including contractors. Beyond those requirements, your organization may have additional compliance training needs, tailored for the systems they use.

Staff members with a well-developed level of situational awareness can accurately assess current operations -- and vulnerabilities -- within the critical infrastructure. Once vulnerabilities and their exploits are identified, information security personnel need to perform further analysis on their severity and whether they would inhibit the critical infrastructure's ability to provide the intended services. Information security personnel can also use cybersecurity strategies such as intrusion detection to mitigate any anomalies before they can have a negative effect on operations.

U.S. government agencies are showing concern for compliance lapses. In fact, the U.S. Department of Commerce's National Institute of Standards and Technology (NIST) recently released new compliance standards for critical infrastructures. This release, named Improving Critical Infrastructure Cybersecurity Executive Order 13636: Preliminary Cybersecurity Framework, addressed how critical infrastructure owners and operators could reduce cyber threats in industries such as telecommunications, transportation, healthcare and power generation.

The U.S. Department of Commerce, in furtherance of its statutory responsibilities under the Executive Order 13636, produced the NIST Special Publication 800-82 Revision 2 Final Public Draft: Guide to Industrial Control Systems (ICS) Security. This publication states that a "documented formal security training and awareness program is designed to keep staff up to date on organizational security policies and procedures, as well as industry cyber security standards and recommended practices. Without training on specific ICS policies and procedures, staff cannot be expected to maintain a secure ICS environment."

This overlay is based on the NIST SP 800-53 revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, which provides a catalog of security and privacy controls for federal information systems and organizations. It also provides guidance for selecting controls to protect organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the nation from a diverse set of threats including hostile cyber attacks, natural disasters, structural failures and human error.

Situational awareness and cybersecurity complement each other: As awareness increases so will security, and this emphasis on security heightens awareness. Situational awareness and cybersecurity strategies that are initially based on compliance standards (but not relying solely on them) play an important role in detecting cyber threats and preventing ICS attacks. Conversely, a lack of emphasis on awareness and security can leave an organization's workforce particularly vulnerable to threats such as social engineering attacks that take advantage of inadequate human situational and cyber awareness.

About the author:
Daniel Allen is a Research Fellow at the Center for Climate and Security, where he focuses on the intersection of strategies for cybersecurity and climate change security risks. He is also President of N2 Cyber Security Consultants, LLC, and has worked as a research scientist for the Naval Health Research Center/ Medical Resource Planning, and is a U.S. Army/Desert Storm veteran and a high school science and climatology instructor. He holds a Master's Degree in Cyber Security and Information Assurance from National University, designated by the National Security Agency and the Department of Homeland Security as a "National Center of Academic Excellence in Information Assurance Education."

Next Steps

IT security ops: Take advantage of SOX compliance best practices

Use security processes, strategy to remain regulatory compliant

Dig Deeper on Regulatory compliance training