Ancient Policies and Star-Crossed Infrastructure Risk
Sectors? Critical Functions? How about automation?
Two critical infrastructure risk models, both alike in dignity, in fair America where we lay our scene. From ancient policy breaks new confusion. Where civil infrastructure makes civil society functional. From forth these fatal loins, a pair of star-crossed views of infrastructure risk, take their life. Whose misadventure’d piteous overthrows, doth with their introduction, bury their risk managers’ strife. The fearful passage of their death-marked relationship, and the continuance of their risk managers’ rage, but their confusion’s end, could not remove, is now the 8 paragraphs’ traffic of our blog.
Within fair America, there is an ongoing debate in the field of infrastructure security and resilience regarding which model proves more useful: The National Critical Function (NCF) Model or The Critical Infrastructure Sectors (CIS) Model. Both models offer different perspectives on understanding and addressing critical infrastructure challenges, but their utility can vary depending on the specific use cases. Both models cover a vital and extremely complex issue: risk to our critical infrastructure. In this blog post, we will explore these differences and analyze scenarios where each model is most effective.
Who makes decisions on what is and is not critical infrastructure, anyway? Well, in the United States, the authority to designate critical infrastructure sectors lies with the Department of Homeland Security (DHS). Specifically, the responsibility falls under the purview of the Cybersecurity and Infrastructure Security Agency (CISA). The National Infrastructure Protection Plan (NIPP) serves as a guide for identifying and designating critical infrastructure sectors. It outlines a risk management framework and establishes processes for sector-specific agencies to identify and prioritize critical infrastructure sectors based on their significance to national security, public health and safety, economic vitality, and overall national resilience. The NIPP we are working off today was published in 2013, a full decade ago and old enough to be considered ancient when talking about things like cyber risk and the risk from emerging technologies to our critical infrastructure. This was the year that Miley Cyrus came at us like a Wrecking Ball. A few things have changed since then.
The CIS model is a traditional approach that organizes critical infrastructure into separate sectors such as transportation, energy, water, and information technology, among others. This model is mainly beneficial for sector-specific threats and vulnerabilities and encourages collaboration and policymaking within those distinct sectors. The sectors-based model is also widely used internationally.
The NCF model, on the other hand, views critical infrastructure from the standpoint of what critical functions or services a system provides. It emphasizes the interconnectedness of different sectors and how disruption in one area can impact multiple functions.
The CIS is the model most fair when dealing with sector-specific issues. For example, when formulating strategies to safeguard the energy sector from cyber threats, the CIS model can provide a structured way to understand specific vulnerabilities and risks within that sector. It allows policymakers and stakeholders to focus on unique requirements and security measures pertinent to their sector.
On the contrary, in situations where there is a need to analyze cross-sector dependencies and risks, the NCF model is your Romeo. A typical use case might be managing a nationwide power outage scenario, where the disruption not only impacts the energy sector but also cascades to other sectors such as transportation, healthcare, and financial services. The NCF model offers a broader perspective and can help devise comprehensive resilience strategies.
There need not be a fourth civil brawl as the prince warned when it comes to understanding critical infrastructure risk because there is plenty of complexity to go around. A sprawling interconnected entity that is the obvious target of adversary action but on whose function so many depend should be the subject of multiple perspectives in risk management. Critical infrastructure creates mountains of data, particularly as it becomes more connected to the internet. The risk understanding of critical infrastructure as captured in the 2013 NIPP cannot be viewed as valid any longer. The sectors model and the critical functions model both provide unique insights into a system of complexity that has few rivals. However, the criticism of the models should come in the form of automation of risk analysis. The data, speed, and importance of critical infrastructure risk demands more than human expertise. It demands expertise augmented with dynamic risk modeling that can give impactful and actionable recommendations based on relevant and contextual data. Technology hath reached an inflection point and the citizens of fair American doth look to its risk professionals to protect their services, not brawl about which model is best.
A glooming peace this dichotomous thinking brings. The risk models, for sorrow, will not show their heads. Go hence, to have more talk of automation in critical infrastructure risk management. Some shall be automated, and some punished. For never was a story of more woe than that of critical infrastructure risk, and its lack of data flow.