Start with infrastructure securityAt CIS®, we encourage users to start secure and stay secure. But what does security really mean? For critical infrastructure sectors, security is defined by Presidential Policy Directive 21 (PPD-21):
The terms ‘secure’ and ‘security’ refer to reducing the risk to critical infrastructure by physical means or defense cyber measures to intrusions, attacks, or the effects of natural or manmade disasters.
Organizations can implement security in different ways, including both physical and cybersecurity measures. Examples include:
- Installing ID badge verification at doorways
- Using security fencing around buildings
- Deploying network monitoring
- Locking devices (such as laptops and cell phones) when not in use
Build with resilienceAccording to the same policy directive (PPD-21), critical infrastructure sectors should strive for resilience:
The term ‘resilience’ means the ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions. Resilience includes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents.
As with security, there are both physical- and cyber-resilience strategies organizations undertake, such as:
- Having a backup power generator
- Developing a business continuity plan
- Building with materials appropriate to the area’s natural risks
- Implementing annual cybersecurity training for employees
Manage the riskOne key concept behind both security and resiliency is managing risk. PPD-21 explains that critical infrastructure “owners and operators are uniquely positioned to manage risks to their individual operations and assets, and to determine effective strategies to make them more secure and resilient.”
Cyber risks include DDoS attacks, malware, phishing scams, data breaches, and more. So how can critical infrastructure sectors and other organizations get prepared? To help organizations understand and mitigate cyber risks, we offer a free resource known as CIS RAM (CIS Risk Assessment Method). CIS RAM helps organizations conduct a cyber risk assessment and implement cybersecurity best practices found in the CIS Controls™. The method provides three pathways based on your organization’s experience with cyber risk:
- For organizations new to risk analysis, CIS RAM provides instructions for modeling threats against the CIS Controls.
- CIS RAM helps organizations more experienced with cybersecurity model threats against information assets.
- For cyber risk experts, CIS RAM offers instructions for analyzing risks based on “attack paths.”