Reports & Papers

Continuous Compliance: Enhancing Cybersecurity for Critical Infrastructure by Strengthening Regulation, Oversight, and Monitoring

Download
The U.S. Homeland Security Department headquarters in northwest Washington is pictured on Feb. 25, 2015
The U.S. Homeland Security Department headquarters in northwest Washington is pictured on Feb. 25, 2015. A popular Chinese-made automotive GPS tracker used by individuals, government agencies and companies in 169 countries has severe software vulnerabilities, posing a potential danger to life and limb, national security and supply chains, cybersecurity researchers said in a report released Tuesday, July 19, 2022, to coincide with an advisory from the U.S. Cybersecurity and Infrastructure Security Agency listing six vulnerabilities.

Student Research Paper

An intrusion into a critical infrastructure facility risks the health, wellbeing, and safety of millions of people. The sixteen critical infrastructure sectors in the United States have little to no cybersecurity regulations or requirements. Cybersecurity standards, except for the energy, nuclear, and financial sectors, are voluntary and there is no legal penalty for lax practices. International standards are much the same: not mandatory and unenforceable.

Businesses that institute their own cybersecurity practices—even if they are stringent—often conduct an assessment or are audited on a point-in- time or period-in-time basis. This means that they verify adherence to a voluntary standard at a certain moment in time rather than in an ongoing manner. By assessing on a point-in-time basis, a business can only determine that they comply at that moment, rather than being notified when networks are noncompliant or drifting away from compliance standards or best practices.

Furthermore, many companies that run U.S. critical infrastructure are small, rural, or underfunded. These facilities do not have the financial resources to upgrade their cybersecurity practices and ensure ongoing monitoring, making them attractive targets to threat actors. They are poorly defended yet still responsible for facilities serving large populations. Recent intrusions, including ransomware and other attacks, have demonstrated the ease with which motivated threat actors can access these networks.

A transition from a point-in-time framework to a method of continuous compliance would raise the level of cybersecurity for critical infrastructure, making these essential services more reliable for the people relying on them. Continuous compliance represents a security posture and set of operational practices where an organization can persistently monitor, identify, and rectify current or potential lapses in their cybersecurity to ensure adherence to legal standards and industry best practices. The transition to continuous compliance requires a shift in an organization’s mindset to embrace monitoring, evaluation, learning, and adapting in an ongoing manner. It also requires enabling technologies, such as artificial intelligence and a compliance engine, which is software and a service that monitors specified inputs to measure compliance, track progress, and identify noncompliant systems and behaviors.

For businesses looking to make this transition, administrators must define and regulate cybersecurity standards, create methods to measure noncompliance and drift, and establish systems for notification of noncompliance within the network. Some of the services that a compliance engine can provide include alerting an administrator of risks to the network like employees not using multi-factor authentication, still active accounts of former employees, or third-party access credentials still in use after a contract terminates. The main benefits of continuous compliance are increased cybersecurity for the business, increased reliability for the public, and decreased cost of compliance monitoring and evaluation.

Recommended citation

Baker, Julian. “Continuous Compliance: Enhancing Cybersecurity for Critical Infrastructure by Strengthening Regulation, Oversight, and Monitoring.” August 2022