Description

The National Infrastructure Advisory Council (NIAC), in reporting the results of its extensive cyber security study to DHS, recommended usage of the U.S.- Cyber Consequences Unit (US-CCU) Check List for preparedness assessment. Asvaco's Cyber Security Assessment Product automates this Check List so that it can be easily used to help protect critical infrastructure.

The Charter of the NIAC is to advise the President, through the Secretary of the Department of Homeland Security, on the security of the critical infrastructure sectors and their information systems. These critical infrastructures support vital sectors of the economy, including banking and finance, transportation, energy, manufacturing, and emergency government services, among others.

The NIAC convened the Physical/Cyber Convergence Working Group (CWG), in October 2005, to investigate the ongoing convergence of physical and cyber technologies for Supervisory Control and Data Acquisition (SCADA) and process control systems and their consolidated network management. The Working Group convened a Study Group of subject matter experts to inform its work. The Working Group report informed the NIAC's deliberations.

Economic consequences of cyber attacks should present a common sense economic analysis of the cyber threat to control systems in easily accessible, strategic-level terms that will speak directly to executive decision makers and facilitate a process of strategic vulnerability self-discovery, independent of intelligence threat assessments. The U.S.- Cyber Consequences Unit (US-CCU) has developed and presented a good example of the material and process needed here, covering economic consequences of cyber attacks, the spectrum of potential hostile actors, and economic motivators for hostile actors.

The non-profit research group, the U.S. Cyber Consequences Unit (US-CCU) has developed a model for initiating the conversation with executives about the emerging cyber threat. The US-CCU has found that executives will accept and make use of viable strategic information if it is presented to them. The first step involved is a dialog in which executive leaders begin thinking critically about the vulnerabilities that cyber threats create to their company's strategic position. This conversation must occur at a strategic level and it should include information on potential hostile actors, economic motivators for hostile actors, operational and economic consequences, and existing cyber threats.

The NIAC found that communication of the cyber risk to critical infrastructure control systems is needed for all executive leaders, in both private- and public-sector organizations involved in infrastructure protection. Outreach efforts related to the Cyber Security Procurement Language for Control Systems identified government executives in all levels of government as a critical group needing education and awareness.

Resources

  • THE US-CCU CYBER-SECURITY CHECK LIST
    BY JOHN BUMGARNER AND SCOTT BORG, Final Version 2007 ( www.usccu.us )
  • THE NIAC CONVERGENCE OF PHYSICAL AND CYBER TECHNOLOGIES AND RELATED SECURITY MANAGEMENT CHALLENGES WORKING GROUP
    FINAL REPORT AND RECOMMENDATIONS BY THE COUNCIL JANUARY 16, 2007
    http://www.dhs.gov/xlibrary/assets/niac/niac_physicalcyberreport.pdf