Critical Infrastructures Industry and Government Standards

Critical Infrastructure Government and Industry Standards

Introduction

Dean (2013) defines standards as agreements, which contain precise criteria and are documented to ensure that processes, products, services and materials suit their purpose (60). In information technology (IT), standards contain technical specifications that dictate how a particular service, product or material ought to be designed or performed. Interoperability between software and hardware products from different manufacturers is also determined by specific standards (Cowely, 2013). The importance of standards in IT is amplified by the wide variety of hardware and software in use today. Standards only set the minimum acceptable performance requirements of a service or product – not the ideal.

Government Standards

The government, through legislations and formulation of oversight bodies, has taken a firm interest in overseeing the protection of the nation’s physical and virtual critical infrastructure. Executive Order 13636 issued on the 12th of February, 2012 by President Obama dictates the current standards applied to securing the nation’s critical infrastructure cybersecurity through a tiered approach (More and Kanungo, 2016). Further directives by the President led to the formation of the National Institute of Standards and Technology (NIST) in 2014. Moussavi (2012) notes that, standards and protocols such as the minimum security requirements for federal information and information systems, are set by the Federal Information Processing Standards (FIPS). FIPS are issued by NIST and defined by the Federal Information Security Management Act (FISMA) (Dean, 2013).

Furthermore, since 85% of critical infrastructure is private sector owned, the government overcomes challenges to its protection through the use of the National Infrastructure Protection Plan (NIPP). Achievement of security, management of risks and the development of resilience outcomes through the coordination of government and private sector participants is done by the NIPP. In addition to this, More and Kanungo (2016) note that, The Executive Order borrows from the Fair Information Practice Principles to develop stable and frim privacy and civil liberties protections (64). Critical infrastructure such as power, banking and finance, transportation, law enforcement and emergency services among others, are closely guarded by the federal government through these organizations and legislations.

Industry Standards

Private industry partners who control the vast majority of critical infrastructure have their own set of standards which govern information interchanges as well as IT services, materials and products (Cowley, 2013). The complete list of industry standard is extensive but there are major standards which are widely accepted and applied in industry best practices. According to Dean (2013) more than a thousand IT industry, as well as government representatives, form the American National Standards Institute (ANSI) (40). ANSI determines standards for the electronics industry as well as other fields which include; health, nuclear and chemical engineering. The organization does not require mandatory compliance but requests voluntary compliance to its standards (Dean, 2013).

Additionally, Dean (2013) notes the role of the International Standards Organization (ISO) in setting standards for communication and information-processing industries (41). Correspondingly, the ISO developed the OSI (Open Systems Interconnection) model which helps to understand and develop computer-to-computer communications over a network. The OSI model achieves this through subdividing the communications into seven layers -Physical, Data Link, Network, Transport, Session, Presentation, and Application- where services are performed by layer-specific protocols (Dean, 2013 pp. 42). The Electronic Industries Alliance (EIA) is a trade organization which sets rules for its members and also helps in the writing of ANSI standards. A society of engineering professionals makes up the Institute of Electrical and Electronics Engineers (IEEE) which promotes development and education in engineering and electrical fields, as well as helping in the formulation of ANSI.

Nuisances and Hardships of Adhering to the Standards

The implementation of government and industry standards on critical infrastructure is not without its challenges. More and Kanungo (2016) note the high cost placed on companies and organizations in adhering to standards as both a nuisance, and heavy burden placed on individuals and companies (268). In addition to this, Moussavi (2012) cites the lack of harmonization of some of the industry standards with national standards as a nuisance, and an unnecessary burden placed on stakeholders in IT. Set standards are also seen as limiting innovation as highlighted by More and Kanungo (271).

Effectiveness of the Standards

In spite of the challenges and burdens placed on stakeholders in adhering to the set standards, tremendous benefits have been realized from having the standards in place. Interoperability of IT services, products and materials has been greatly enhanced as a result of having industry-specific standards. Government standards such as Executive Order 13636 have helped to increase preparedness against potentially crippling cyber-attacks on critical infrastructure, as well as providing mitigation against potential threats. Dean (2013) notes that, benefits such as increased user data privacy and security have been increased though set industry standards.

Conclusion

There is a wide range of IT services, products and materials which are in use today all over the world. Consequently, information technology has become a key component in the functioning of vital government and private sector operations which are interlinked. As a result, the vulnerabilities to malicious attacks as well as challenges to interoperability of these components have become a key area of concern in IT. Therefore, more research as well as investment into better ways of protecting critical infrastructure is necessary in order to mitigate cases of malicious attacks. Stakeholders should also seek to harmonize various standards and regulations to ensure that they meet industry, as well as user needs in enhancing security and privacy of user data.

References

Cowley, J. (2013). Communications and Networking (2nd ed). London: Springer.

Dean, T. (2013). Network+ Guide to Networks (6th ed.). Boston, MA: Course Technology.

More, A., & Kanungo, P. (2016). Various e-Governance Applications, Computing Architecture and Implementation Barriers. In Proceedings of the International Congress on Information and Communication Technology (pp. 635-643). Singapore: Springer.

Moussavi, M. (2012). Data Communication and Networking: A practical approach (1st ed). Clifton Park, N.Y: Delmar.