SCADA, process control systems and the critical infrastructure of the U.S. are being targeted “at an unprecedented rate with unpredictable motives,” PricewaterhouseCoopers (PwC) said on its website.

To address this issue, President Barack Obama issued Executive Order 13636 in February 2013, calling for The National Institute of Standards and Technology (NIST) to develop what is now the NIST Cybersecurity Framework “to assist organizations in applying the principles and best practices of risk management and provide a methodology to measure current and target state maturity levels.”

The framework was created through collaboration between industry organizations and the government, and PwC participated in every workshop since NIST’s initial request for information.

In a PwC webcast that was presented on Aug. 13 titled “Transforming your Security Posture with the NIST Cybersecurity Framework,” speakers defined cybersecurity, the threats and motives of adversaries, and gave an overview of the NIST Cybersecurity Framework.

PwC defined four types of adversaries, or “threat actors:”

  • Nation states are “organizations that are controlled by nations who are trying to do harm to other nations, or they’re trying to steal intellectual property for the betterment of their own nation,” Jim Guinn, energy advisory security practice leader at PwC, said during the webcast. WatchGuard Security Center defined nation states as “government-funded and guided attackers ordered to launch operations from cyber espionage to intellectual property theft,” who “have the biggest bankroll, and thus can afford to hire the best talent to create the most advanced, nefarious and stealthy threats.”
  • Hacktivists are politically motivated cyberattackers trying to impart a political message. They “are individuals that are motivated to do something ill to an organization,” Guinn said. “There’s a lot of misinformation about how the energy industry works, what works well in it, what’s dangerous, [or] what it may or may not do to the environment, so there’s a lot of hacktivists out there that just want to make oil and gas companies or energy companies look bad.”
  • Organized crime adversaries target financial services and retail. They try to steal credit card information or personal identifiable information to sell it on the open market.
  • Insiders are the ones that “really keep people up at night more today than anything else,” Guinn said. They include “disgruntled employees, employees who are unhappy about something that occurred [or] who might think that they’re being an advocate or a whistleblower, when in fact, they’re really nothing more than hacktivists within an organization as an insider.”

So what property is most at risk? Threat actors target a wide range of information, technologies and data. SCADA systems and emerging technologies, credit card and related information, financial markets, advanced materials and manufacturing techniques, energy data, R&D and/or product design data, healthcare pharmaceuticals and/or related technologies, business-deal information, health records and other personal data, and information and communication technology and data are among the valuable items at risk.

“The problem is executives don’t know exactly what adversaries might be looking for at the time of an active breach,” Guinn said. “Every single one of them has had a significant impact on today’s threat landscape, and we’re very, very concerned about how we mitigate controls around our information and the protection of our IP assets.”

More than 80% of CEOs believe technology advances will transform their business, and that includes operational technology, information technology and consumer-based technology, according to a PwC survey. However, 70% of the executives’ organizations expressed concern about their ability to protect intellectual property and confidential customer data, and 49% of CEOs are somewhat or extremely concerned about cyberattacks.

“You’re talking about economic espionage. You’re talking about loss of critical information or IP. You’re talking about malware and ransomware,” said Guinn. “The reality is [adversaries] are looking for any sort of information of value. It’s unfortunate, but the threat actor is simply looking for some door that was [left] open and [is] trying to walk through that door, and once they walk through that door, they listen, they pay attention and they collect the traffic to figure out what was most valuable. And then, as we well know, a lot of these threat actors, especially the organized crime arena, are then selling that data to other individuals to exploit. They don’t necessarily really care what they’re getting. They just want to have something of value.”

Matt Linde, director of energy advisory practice at PwC, continued, “Clearly, we have a lot of different challenges that we face in trying to figure out how to secure our environment, and it’s because of these challenges, at least in part, that the United States leadership has expressed public concern about the health of our systems and our technology that our critical infrastructure depends on.”

The NIST Cybersecurity Framework “gives us kind of a list of outcomes or decision-making type levers at the executive level,” Linde said. The framework comprises three areas—the core, the tiers and the profile. The highest level is the core, which includes functions, categories and subcategories.

It “establishes the capability areas to consider as applies to the security posture,” according to PwC. “The framework core is kind of a hierarchy of capabilities, and there are five primary capabilities or functions [within that, which are] identify, protect, detect, respond and recover,” Linde said. “These designations make it possible for us to have a meaningful conversation with various individuals around us, whether they be security experts or not, and that helps us in creating a consumable message as we create either executive summaries or we work with other industry peers. We’re trying to communicate at a high level or talk about our [security] posture from a business standpoint.”

The tiers are “kind of that maturity ranking scale or maturity model,” he said. They provide a measurement system for determining profiles and analysis. And the profile facilitates communication, awareness and transformation. The profile is “more of an identification of your cybersecurity posture using the CSF [cybersecurity framework] core, and then the tiers are really kind of your unit of measure,” Linde said.

Applying the framework involves a cycle of four steps: engaging an executive sponsor, assessing the current profile, defining the target profile and refining continuously, according to PwC. It is critical to understand the business context and establish executive alignment. “Having the executive sponsor who can traverse the various lines of business, because not all organizations have operational technology assets underneath the CIO, will give you a broader perspective of where your threats and vulnerabilities might exist across all of the assets that tie into the corporate network via some sort of IP connection or other connection,” Guinn said.

Furthermore, assessing the current profile involves understanding the threats and risks as well as determining the organization’s current state. Defining the target profile means establishing a baseline for risk management and also creating a target profile and identifying the gaps. Finally, refining continuously means keeping the stakeholders informed and analyzing the threat landscape and business changes.

The NIST Cybersecurity Framework was ratified and published on Feb. 17, 2013, and the company released the first version of the Framework for Improving Critical Infrastructure Cybersecurity in February 2014.

Contact the author, Ariana Benavidez, at abenavidez@hartenergy.com.