Cloud privacy / Security / Communications - A New Technology, Nunchi

National Institute of Standards and Technology RFI

(Docket Number 130208119-3119-01)

Developing a Framework to Improve Critical Infrastructure Cybersecurity

Lauren Edwards

AirPatrol Corporation

410-794-1213

ledwards@airpatrolcorp.com

Introduction

The creation of the Cybersecurity Framework is necessary for the future of critical infrastructure security. When dealing with cyber, we must realize that it changes daily and sometimes dramatically. The most impressive change to cybersecurity has been with the infiltration and exponential growth of mobile devices. A security gap often ignored, mobile devices can be a large source of data exfiltration, espionage, malware dissemination and overall increase of risks related to organizational missions and business functions.

Summary

The introduction of mobile devices into agencies and corporations worldwide due to policies such as BYOD (Bring Your Own Device) is a headache to IT and poses a significant problem to security. The best way to protect against mobile device threats is to know your wireless environment and determine the types of permissions allowed to mobile devices according to location, such as inside your company and on your network or outside. With continuous wireless monitoring, precise indoor locationing and reporting, enterprises are empowered to define current threats, act on them, and create policies to protect against them in the future.

The 20 Critical Security Controls for Effective Cyber Defense released by SANS and CSIS (Center for Strategic and International Studies) is said to reduce "measured" security risk by 94% (http://www.sans.org/critical-security-controls/). These controls include mobile security topics such as:

1. Inventory of Authorized and Unauthorized Devices

3. Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

4. Continuous Vulnerability Assessment and Remediation

5. Malware Defenses

7. Wireless Device Control

Comment Sections:

•

Current Risk Management Practices

1. The greatest challenge in improving cybersecurity practices across critical infrastructure is securing without limiting employees’ functionality. For example, the influx of mobile devices into the corporate environment is a result of employees’ desire for mobility and greater flexibility but if these devices are locked down or forbidden, employees are not only unhappy but also are not as efficient as they could be. In many cases employees bypass these restrictions in favor of convenience thus unwittingly exposing the organization to enhance risk. Security

without changing the purpose of mobility is a challenge faced across all organizations.

2. The greatest challenge in developing a cross-sector standards-based Framework for critical infrastructure is dealing with mobility and cybersecurity on an individual basis instead of looking at the bigger issues and determining simple solutions that will work in a variety of situations. For example, trying to secure infrastructure for each of the many operating systems and devices used by employees and visitors is not only illogical but may be impossible. It is necessary to solve the larger issues such as what all devices should be able to do in what location and in what context – for example, no use of camera while in the board room or SCIF - and apply it to all organizations.

3. The best way to measure and control risk is to have continuous situational awareness of the wireless environment. As you cannot protect against something you are unaware of, a complete real time wireless picture of all devices connecting to networks, communicating with outside sources and physically inside your organization is important. Both wifi only and cellular devices of any operating system are capable of unknowingly operating with dangerous malware that may hack sensitive or confidential information to outside locations without the user’s permission. With precise locationing, rogue access points and unknown devices can be easily found and managed or terminated.

4. Cybersecurity is no longer solely the responsibility of the IT department. As the physical and cyber worlds collide, executives and IT support need to both be involved in decisions regarding how to properly secure their enterprise. The element of location and context is becoming more important as many employees work remotely and often from unsecure network locations such as a local coffee shop. Executives must cooperate with IT to create and enforce mobile device policies that apply to a variety of locations and protect the infrastructure’s cybersecurity.

5. Cybersecurity risk can be defined as any event that endangers a corporation’s assets via non-physical means such as wireless, networks, digital capture, etc.

6. Cybersecurity risk should now be an integral part of organizations’ overarching enterprise risk management. Although some ignore the risk and hope that "it won’t happen to me," a number of large, public companies with extensive cybersecurity measures in practice have been hacked with confidential information leaked (CanTech, 2013 http://www.cantechletter.com/2013/02/nortel-syndrome-why-large-companies-will-continue-to-be-hacked0221/). Small companies are also a target as they are seen to have intellectual property (IP) that is innovative and worth a large sum to the right buyer (CNBC, 2013 http://www.cnbc.com/id/100532366).

7. Reporting solutions that monitor and detect wireless and cellular activity in an enterprise with contexts such as precise location and user role are good tools to understand risk. Once risk is known, current mobile device policies and management guidelines can be altered to better control present and future risk. Mobility and cybersecurity are constantly changing and the procedures to control related risks must grow with them.

8. Required reporting of cybersecurity events has been a hot topic recently as privacy issues have been addressed with the highly debated Executive Order on Cybersecurity (http://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-