As we transitioned from the end of 2013 to the beginning of 2014, we were again reminded about the importance of cybersecurity in everyday life. From the big Target breach of data that has become a nightmare, to a wider warning issued this week to retailers from the Department of Homeland Security (DHS), to the NSA changes to collection of our phone records announced by President Obama on Friday, the topic of protecting our data has never been more front and center in the news.
So why should we pay attention to the new version of the National Infrastructure Protection Plan (NIPP)? Is this just another example of government bureaucracy issuing another report that no one really cares about? Or worse, are the public and private sectors working together to divert our attention away from data breaches?
I think not.
While there’s little doubt that the infrastructure protection topic is not very hot (right now), when compared with NSA-Snowden or data breaches at major retailers, protecting the most important items within our “Internet of Things” is a really big deal. I give DHS credit for leading this charge, along with their federal and private-sector partners.
These efforts reflect important milestones following President Obama’s State of the Union speech last year which described the new infrastructure threats we face as a nation.
And this topic is only going to get more important as we move forward. Allow me to explain where we are and where this is going in 2014.
Background on New 2013 NIPP
The 2013 National Infrastructure Protection Plan (NIPP): Partnering for Critical Infrastructure Security and Resilience was released in December, and it replaces the previous version from 2009. President Obama required this update in February 2013 when he signed Presidential Policy Directive 21, which calls for a national unity of effort to strengthen critical infrastructure against vulnerabilities.
The 2013 NIPP Executive Summary begins this way:
Our national well-being relies upon secure and resilient critical infrastructure—those assets, systems, and networks that underpin American society. To achieve this security and resilience, critical infrastructure partners must collectively identify priorities, articulate clear goals, mitigate risk, measure progress, and adapt based on feedback and the changing environment. NIPP 2013: Partnering for Critical Infrastructure Security and Resilience (hereafter referred to as the National Plan), guides the national effort to manage risk to the Nation’s critical infrastructure.
The community involved in managing risks to critical infrastructure is wide-ranging, composed of partnerships among owners and operators; Federal, State, local, tribal, and territorial governments; regional entities; non-profit organizations; and academia. Managing the risks from significant threat and hazards to physical and cyber critical infrastructure requires an integrated approach across this diverse community to:
• Identify, deter, detect, disrupt, and prepare for threats and hazards to the Nation’s critical infrastructure;
• Reduce vulnerabilities of critical assets, systems, and networks; and
• Mitigate the potential consequences to critical infrastructure of incidents or adverse events that do occur. The success of this integrated approach depends on leveraging the full spectrum of capabilities, expertise, and experience….
What has changed?
There have also been numerous “calls to action” on cybersecurity over the years from industry, federal and state governments. How is this different?
The new NIPP is written at a high level and is a simpler read than the old NIPP. As described by Fierce Homeland Security, “security and resilience” are the primary aims of the planning document. I like this summary:
…The new NIPP reaffirms the existing coordination council structure DHS has put in place to coordinate public and private sector actions among 16 identified critical infrastructure sectors. But, it calls on national-level councils to jointly issue multi-year priorities based on multiple information sources, including results of state and regional Threat and Hazard Identification and Risk Assessments (THIRA)….
There are many more details on this topic, related 2013 NIPP supplements, training courses, authority references and other data available at www.dhs.gov/nipp.
The scope of this effort is massive. The Sector-Specific Plans from each of 16 critical infrastructure sectors must be updated during 2014. Once those more specific plans are in place, the implementation of the action items will take years. The new National Institute of Standards (NIST) cybersecurity framework efforts must be leveraged as well.
Now is the time for NIPP 2013
And yet, despite minimal news coverage, there is no more important set of cybersecurity priorities facing our nation than the items covered in this document. Press articles about the smart grid getting hacked or pacemakers issuing unwanted shocks to the body or cars that drive themselves are all related to this broader topic of protecting critical infrastructure in the 21st century.
During a recent lunch conversation with a top technology leader from a large hospital chain, the issue of protecting non-traditional medical devices (that have an IP addresses and often WiFi connectivity) was a huge topic of concern. In fact, over 50% of this security leader’s problems were focused on mitigating risks from these devices. I have heard similar stories from other sectors.
So get ready for some major rollout events on this NIPP topic beginning in February, with more to come in your particular sector throughout the year.
A final point on why you need to engage. We need to improve our industry partnerships. Security and technology teams will fail if we don’t work together to share timely, relevant information in more effective ways.
Jason Nairn, one of my deputy CSOs in Michigan, was recently on a national conference call sponsored by DHS on the new NIPP 2013. During the Q/A section, he asked "What is the most significant accomplishment of the NIPP thus far in the enhancement of our national security?"
The response from DHS:
"The most significant accomplishment of the NIPP program thus far has arguably been the establishment of the critical infrastructure public-private partnership and its subsequent activities to secure and strengthen the resilience of critical infrastructure. The effort to reduce critical infrastructure risk has been a joint voluntary undertaking between critical infrastructure partners in all levels of government and the private sector.
The critical infrastructure partnership is the primary mechanism for promoting and facilitating sector and cross-sector planning, coordination, collaboration, and information sharing to manage risks to critical infrastructure. A 2013 evaluation of the critical infrastructure partnership, conducted in response to Presidential Policy Directive 21, validated the current structure of the partnership at the national level and made recommendations to enhance and expand partnership activities at the regional and local levels."
Therefore, I urge you to read the NIPP 2013 and become engaged in your sector-specific plan in 2014.