Critical Infrastructure: Better Cybersecurity Metrics Needed

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/critical-infrastructure-better-cybersecurity-metrics-needed-a-8697

With the heightened threat of cyber-attacks on America's critical
infrastructure, a congressional watchdog says federal agencies need to
adopt better metrics to determine the cyber risks specific industries they
monitor face.

"Until SSAs (sector-specific agencies) develop performance metrics and
collect data to report on the progress of their efforts to enhance the
sectors' cybersecurity posture, they may be unable to adequately monitor
the effectiveness of their cyber risk mitigation activities and document
the resulting sector-wide cybersecurity progress," Gregory Wilshusen,
director of information security issues at the Government Accountability
Office, says in a new report.

In its study, requested by the House Homeland Security Committee, GAO
focused on eight of the nine SSAs responsible for monitoring 15 of the 16
critical infrastructure sectors. GAO says the agencies generally took
actions to mitigate cyber risks and vulnerabilities for their respective
sectors. But it's in the area of performance metrics where most
sector-specific agencies fell short. GAO says the departments of Defense,
Energy and Health and Human Services established performance metrics
evaluating the effectiveness of their sectors' cyber risk mitigation
activities, but agencies overseeing 12 other industries hadn't.

Why so? GAO says the agencies rely on their private sector partners to
voluntarily share information needed to measure efforts.

'Exacerbating' Challenges

Take, for instance, the financial services industry, a sector that includes
thousands of banks, security exchanges, insurance providers and other
enterprises that operate globally. The Treasury Department faces
"exacerbating" challenges to develop metrics for a sector of such size and
diversity, says Amias Gerety, Treasury Department assistant secretary of
financial institutions. "Due to the highly dynamic environment these
factors create and the fact that Treasury does not have authority to
require private companies to submit potentially sensitive measure data,
measuring the sector's cybersecurity progress will be difficult," he says.

The Department of Homeland Security monitors cybersecurity activities in
eight industries, including chemical, commercial facilities,
communications, critical manufacturing, dams, emergency services,
information technology and nuclear. It shares monitoring activities for
transportation systems with the Transportation Department.

Lack of Authority

DHS is guiding various sectors in developing "appropriate metrics and
targets to measure progress toward national [and sector-specific
cybersecurity] goals and priorities," says Jim Crumpacker, the department's
liaison with the GAO. Still, he says, "the department does not maintain the
authority to impose metric requirements on the private sector. Even if the
department maintained the appropriate authorities, developing a single set
of performance metrics across the eight identified sectors would be
infeasible given the unique landscape of each sector and the dynamic threat
environment."

At the Environmental Protection Agency, EPA deputy administrator Kenneth
Kopocis says the agency is working with the water and wastewater sector to
develop metrics, measurements he acknowledges should prove valuable.
"Metrics could assist the agency with evaluating outreach and training
efforts, including identity strengths, weakness and barriers to progress
with the sector that could be used to tailor sector programs," Kopocis says.

What's next? For many agencies, despite the challenges to develop metrics,
they say they'll work with the industries they monitor to develop
meaningful ways to measure the effectiveness of IT security initiatives. As
Treasury's Gerety puts it, "As the cybersecurity environment evolves over
time, Treasury will continue to work with our partners to improve the
sector's ability to assess its progress and develop metrics to help in
evaluating the impact of specific cybersecurity programs."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!