-
QUESTION
Strategy for Securing Critical Infrastructure from Cyber attacks
Weeks 7-8 Written Assignment (Final Project) - Due
Nov 29, 2020 11:59 PM
EDMG600 B001 Fall 2020
• Written Assignment (Final Project) submit here
• Your subject matter request should be sent to me via messaging.
o IMPORTANT
§ Final Project must be at least 10 APA-formatted and referenced pages including title page and references.
§ You must submit your Final Project as any other Written Assignment in the course to Turn It through Week 8 Assignments.
• In the Final Project, all listed sub-headings/sub-sections from the Final Project Content and Format must be included.
• If you have taken EDMG540 (Research Methods), you can use EDMG540 template to structure your Final Project.In some subsections/subheadings from this course template under Research Design section you should state briefly in a paragraph or two, a method/technique you would use to conduct your own "field" research on the subject (survey, interview/s, statistical analysis, content analysis, etc.). You will have no time conduct actual field research.
• In the Literature Review section, you should APA-review at least 10 peer-reviewed authors who wrote on the chosen subject in addition to primary sources (laws, regulations, convention, treaties and media sources). Wikipedia should not be used as a reference.
• In the Analysis section, you should critically assess authors' premises, logic of inquiry and claims. You should inject your own thoughts on these authors' analyses and the topic itself by the end of the Literature Review and in the Analysis section. The Analysis section should conclude with a statement on your own previously stated Hypothesis that should answer the question if your Thesis valid or not.
• For Policy Papers, please see the Final Project under Announcements (Policy Paper section).
• Submit as Microsoft Word document.
• Name the file "EDMG600FinalProject_YourLastName.doc/x" (i.e., EDMG600FinalProject _Pesic.doc/x).
• You must use APA style.
| Subject | Technology | Pages | 13 | Style | APA |
|---|
Answer
Strategy for Securing Critical Infrastructure
Abstract
There is an increasing application of technology in managing daily life issues. However, increased use of technology has resulted in cybersecurity attacks on critical infrastructure, therefore disrupting both government and private entities' daily activities. A study was thus developed to analyze articles explaining the roles of cybersecurity policies in Critical Infrastructure protection. Using a systematic review, ten peer-reviewed articles were analyzed to determine the role of cyber laws and policies in addressing critical infrastructure issues. The study's main problem statement was to determine if cybersecurity policies are observed by various stakeholders, while the hypothesis of the study was to determine the relevance and application of cybersecurity policies.
The findings of the study indicate that there is a gross violation of cybersecurity and policies. From the analyzed articles, security concerns are majorly focused on acceptable use policies, access control, and management changes. Other related policies seek to address security issues, but these policies lack the exact specification of different players' roles. Recommendations from this study include revising cyber laws and policies and providing detailed enforcement guidelines for prosecution when security breaches are detected in a system. The study further outlines areas for further study on business continuity policies and insurance provisions to critical infrastructure.
Introduction
The United States outlines 16 critical infrastructure systems, assets, and networks that influence Americans' lives every day. However, these listed infrastructures are becoming critical targets to most cyber attackers, who, in turn, bring damage and disruption of everyday life. The execution of such damages is done on physical assets through the penetration of digital management systems. Therefore, the process of Critical Infrastructure Protection (CIP) was necessary to protect both private and government corporations from security breaches using policies. Special Presidential National Infrastructure Advisory Council (NAIC) was formed to bring together private and government entities to formulate management strategies for responding to risks.
The council's roles and duties were outlined, and the senate was tasked to play roles of policy amendment while local and national authorities contributed to policy enforcement. On the other hand, the laws and policies were adopted by the Department of Homeland Security for monitoring progress and relevance in addressing cyber-attack concerns. However, several cyber-attacks on critical infrastructure are still experienced together with a lack of specification of roles between private entities, government, and international relations. The research was, therefore, conducted to establish the relevance of cybersecurity strategies on risk management. Additionally, the research sought to determine the application of laws and policies for CIP concerns.
Problem Statement
Government and private entities are increasingly applying digital surveillance to manage essential information in their networks. However, the management of physical assets using technology encounters barriers when coordinating various stakeholders to address risk concerns. The study thus sought to answer general study questions illustrating: are the cybersecurity policies observed by stakeholders. Specific questions applied in the study were: Are roles of the senate and presidential directives defined? Do cybersecurity policies address international cyber use concerns? Moreover, lastly: are the policies directing actual issues affecting network information systems. Using the NAIC and department of Homeland Security, the study sought to address the relevance of cyber laws and risk mitigation policies.
During the study, the general objective of guided activities was to determine effective cybersecurity management policies. Specific objectives for the study were to determine stakeholders' roles and duties in providing cyber risk mitigation en countries in addressing cybersecurity issues. The study was also based on the hypothesis: counties have the same cyber risk mitigation strategies. Using the provided objectives, this study evaluated various aspects of cybersecurity and how responses have been applied to reduce the extent of damage faced on the critical infrastructure.
Further, the study provided insight into the types of critical infrastructures and ownership of these infrastructures to meet user needs. Assumptions were applied that not every stakeholder understands risk mitigation on security issues that may arise. Using these assumptions, an understanding of various risk management strategies was developed.
Proposed Methodology
Although the study question produced several issues critical to infrastructure protection, the study could not research the field to collect primary data. A systematic literature review was thus conducted to access several peer-reviewed articles that could be applied to understand the state of cybersecurity management. In this way, a group of articles and journals published from 2015 to 2020 were selected for the study. On the other hand, the selected articles and journals were filtered to obtain specific publications on cyber laws and policies. Further, the selected documents were considered for content on CIP and jurisdiction to apply the general laws and policies. Given the study's objectives and research questions, this methodology applied a specific database to ensure that articles and journals selected for review were up to date with advancing cybersecurity risk management provided by the Department of Homeland Security.
Among the selected articles and journals were from Science Direct as well as Research Gate. Reasons for selecting articles and journals from this database were the validity of the information provided and relation to cybersecurity policies and regulations. A systematic review of these articles also ensured that the study's crucial finding was clearly outlined and visible to the researcher. This method was further validated by evaluating the specified roles of the senate and presidential decree on cybersecurity concerns. The research was, however, allowed to consider other credible sources addressing network systems information security.
Expected Value of the Research
Increasing growth in internet interconnections has resulted in increased cases of cyber-attacks. The study, therefore, focused on the construction and management of security options applied by organizations to facilitate their growth over some time. Using systematic research policy on online publications, expectations of the study were on acceptance of cyber policies and practices by organizations and their ability to understand its use. The next expectation that was applied was on access regulations applied by both government and private entities to handle their information and classification as confidential or for general use. In this section, the research sought to determine policies governing system use authorization and control applications to manage unauthorized entries into the system.
A policy outlining changes in network system management was also taken into considerations. Critical goals of increases awareness among system users, understanding the need for change in policies, and the ability to change were expected to be covered from selected articles. Subsequently, the study focused on information security control policies covering a more extensive section of other security measures applied.
This evaluation targeted government and private entities to gather data on information system classification and labeling as primary or secondary. The study also expected to gather information on policies for security incident response, remote access, and communication policies applied in the management of critical infrastructure. On the other hand, the researchers expected the selected articles to cover information on disaster recovery, business continuity, and monitoring and control practices applied.
Literature review
Acceptable use policy outlines that users of a system must be subjected to user policies for acceptance. According to Dean and McDemont's (2017) evaluation of US CIP, an employee in an organization and authorized to use its assets must agree on terms and conditions of provided security policy to be granted access. Similarly, a new employee joining the organization needs to be subjected to this format of acceptance and authorized use. However, in his article, the author indicated that some organizations fail to subject their employees to the verification process, thus creating a gap for entry of unauthorized users. To correct this situation, the article recommends the organizational, legal department, human resource, and Network Information System (NIS) to monitor and enforce this policy for corporate data protection.
The policy of access and control governs an organization's data and information system. In ensuring policy interventions on control, considerations are given to access and system control measures that seek to monitor and regulate a system's users (Vassilev et al., 2020). In managing critical infrastructure, management policy needs to develop a strategy for the user guide, server management, and Operating System (OS) evaluation to establish compatibility and durability of the systems (Zhang et al., 2018). Although the study did not focus on direct policing of sever, OS, and user guide regulations, there was a discussion on a monitoring system to avoid internal risks following the crushing down of obsolete systems.
The CIP gains stability by outlining the process for change in management policies of a network system. Some organizations have endangered critical infrastructure by excluding its users from initial orientation to understand the system's basics and participate in following security measures. By outlining change of management policies, awareness and understanding of system functions are elaborated to users, creating a sense of shared responsibility. This process is not only essential for critical infrastructure protection but also offers extended protection to other users.
Organizations design their information security policies such that they can contain a vast volume of data. Typically, such systems apply primary information policies to govern all employees using the system components to apply outlined rules and guidelines (Tam & Jones, 2018). Applications of these information security policies are sometimes implemented by subjecting employees to commit to organizational rules and regulations. This verification of user signing is to hold them accountable in case breaches are detected in the system following negligence use by authorized personnel. However, this article provided limitations on additional cybersecurity legal policies to prosecute system users.
Since organizations are focused on modern technology applications to manage data and save on space, the policy of Incident Response plays a significant role in improving internal security. Under this policy, an organization is given a strategy for managing situations in event operations are paralyzed (Raizal & Yuni, 2016). This policy further outlines how an incident can be effectively managed without causing extended damage to business operations and subscribers in the shortest time possible. The government under the Department of Homeland Security applies the use of Incident response policy by outlining the response execution path for specified types of risks. However, cyber-security threats are dynamic, therefore impossible to manage effectively.
An organization liked to a network system applies remote sensors to manage forms of cyber threats that can paralyze operations. The policy of remote access determines effective management using remote sensors. In this policy, documentation of approved ways for remote connection of an organization to external link is provided with considerations to security issues (Li et al., 2019)). Such policies work effectively by including addendums and specifications for bringing your device (BOYD) applications. When organizations have decentralized their infrastructure within a geographical area, this policy is essential for management. Contrarily, the journal outlines that some institutions' remote access policy is not applied in managing critical infrastructure.
Communication is an essential input in the management of the critical infrastructure of an organization. The most common official means or communication applied in an organization is the use of email. Therefore, organizations seek to execute control on email use to gain accountability on information conveyed from the organization to its external environment (Koniagina, 2020). Therefore, communication policy is employed for an organization to govern language use, working hours, and posts on blogs and social media. Implications have, however, been reported concerning harassment information passed through approved organizational platforms. There is a need to address existing breaches that are not covered by communication policy.
Although there are policies to manage cybersecurity risks on critical infrastructure, disaster is still reported in some organizations arising from cyber-attacks and threats (Kovacs, 2018). In such cases, disaster recovery policy applies to address a recovery procedure that will ensure customers' supply is not interrupted despite attack on infrastructure. An independent body, such as an insurance company, is usually contracted to offer an evaluation and compensation plan. However, complaints have been faced in determining the extent of damage and percentages compensated according to damage. On the other hand, damage to these assets may occur in user data that cannot be recovered.
Upon the occurrence of risk to the organization, damages are always reported. However, the business continuity policy provides an outline for recovery and seeking to attain the original position. Among key considerations are recovery on hardware, application, and other business components (Howard & Arimatéia, 2017). Different approaches are always applied to bring business back to its financial position. Despite the existence of business continuity policies, some damages are so extensive that they have seen closure or government services disruption. There is an underlying need to address such issues for the attainment of efficiency in CIP.
Cybersecurity concerns tend to be more virtual compared to physical occurrences. Organizations have thus focused on virtual protection through the use of anti-malware and antiviruses to protect network systems. Little or no attention is typically directed to protecting critical infrastructure's physical hardware components (Anwar et al., 2017). Outcomes of such negligence have been the destruction of communication must by terrorists, fire, or other forms of a natural disaster. According to this article, there is a gap in study knowledge to create awareness for users to include the protection of a network system's hardware components.
Result analysis
Different authors have managed to outline how CIP has been attained by management policies from the study conducted. Among policies discussed by authors are acceptable to use, access control, and change of management. The authors' additional considerations include information security, incident response, and remote access policies for enhancing safety in network systems. The authors further provide findings in disaster occurrences and management policies and additional review on business continuity in the event of a disruption.
The authors' information concludes that policies have not effectively addressed cybersecurity concerns on critical infrastructure protection. Despite various guides to outline what should be done, organizations opt to either ignore policies or fail to implement provided policy guidelines. Implementation and enforcement of these policies lack a clear description of key individuals involved in their use to manage risk. Therefore, it is evident that these risks are not listed according to the extent of their urgency, which has contributed to breaches in security systems designed to manage critical infrastructure. Most importantly, policies on the provision of physical security to a network system's hardware components need to be addressed.
Conclusions
Cyber laws and policies are developed to help in managing cyber risks and disruptions caused by critical infrastructure. However, these policies have not attained their effectiveness in addressing security concerns to reduce risks on infrastructure. Organizations have also failed to adhere to outlined cyber risk management policies leading to the creation of security breaches that make network systems vulnerable. This process had resulted in the loss of critical information, damage to network hardware components, and miscommunication in a system when communication policies are violated. This gap in policy operation is a barrier to business continuity.
Strategic management of cybersecurity is a critical issue provided by the government and its law amendment bodies. However, there are problems in defining various stakeholders' roles, leading to debates on who should take responsibility for cyber-attacks. Clear guidelines are also not provided for the prosecution of perpetrators or employees who fail to observe system user policies. This conflict is traced back to presidential directives and senate security bills to manage cybersecurity risks. Additional observations are that critical infrastructure contains hardware components that require priority when strategizing for effective management. Therefore, the process of risk mitigation lacks defined identification, management, and monitoring and control policies together with defined roles for each stakeholder.
Recommendations and areas for future study
From the analyzed articles and findings on cybersecurity concerns, there is a need for revising cybersecurity policies on managing critical infrastructure. In this case, the roles of stakeholders need to be outlined together with specific outlines for prosecutions. Additionally, there is a need to formulate a policy enforcement team to ensure adherence to cybersecurity policies by companies and the education of employees to understand the operations of a system. Finally, additional study is required on how business continuity and insurance can be provided for addressing cybersecurity concerns. This process will help solve arising issues on compensation and protection to the loss of essential data from the system.
References
Anwar, M., He, W., Ash, I., Yuan, X., Li, L., & Xu, L. (2017). Gender difference and employees' cybersecurity behaviors. Computers in Human Behavior, 69, 437-443.
Dean, B., & McDermott, R. (2017). A research agenda to improve decision making in cybersecurity policy. Penn St. JL & Int'l Aff., 5, 29.
Howard, T. D., & Arimatéia da Cruz, J. D. (2017). Stay the course: Why trump must build on Obama's cybersecurity policy. Information Security Journal: A Global Perspective, 26(6), 276-286.
Kovács, L. (2018). Cybersecurity policy and strategy in the European Union and NATO. Land Forces Academy Review, 23(1), 16-24.
Koniagina, M., Belotserkovich, D., Vorona-Slivinskaya, L., & Pronkin, N. (2020). Development Trends of an Internet of Things in Context to Information Security Policy of a Person, Business and The State. Talent Development & Excellence, 12(2).
Li, L., He, W., Xu, L., Ash, I., Anwar, M., & Yuan, X. (2019). Investigating the impact of cybersecurity policy awareness on employees’ cybersecurity behavior. International Journal of Information Management, 45, 13-24.
Rizal, M., & Yani, Y. M. (2016). Cybersecurity Policy and Its Implementation in Indonesia. Journal of ASEAN Studies, 4(1), 61-78.
Tam, K., & Jones, K. D. (2018). Maritime cybersecurity policy: the scope and impact of evolving technology on international shipping. Journal of Cyber Policy, 3(2), 147-164.
Vassilev, V., Sowinski-Mydlarz, V., Gasiorowski, P., Ouazzane, K., & Phipps, A. (2020, February). Intelligence graphs for threat intelligence and security policy validation of cyber systems. In Proc. Int. Conf. on Artificial Intelligence and Applications (ICAIA2020). Advances in Intelligent Systems and Computing, Springer.
Zhang, H., Tang, Z., & Jayakar, K. (2018). A socio-technical analysis of China's cybersecurity policy: Towards delivering trusted e-government services. Telecommunications Policy, 42(5), 409-420.