Brad Nix, senior advisor at the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC), said Thursday at MeriTalk’s Cyber Security Brainstorm that DHS’s establishment earlier this week of its new National Risk Management Center represents “an acknowledgement on our end that there is more to be done” to assess risk faced by critical infrastructure sectors–some of whom have less-well developed abilities to detect and respond to threats.
The NRMC was announced by DHS Secretary Kirstjen Nielsen as a first response outlet for private sector critical infrastructure companies that are targeted by cyberattacks.
DHS has designated 16 critical infrastructure sectors–chemical, commercial facilities, communications, critical manufacturing, dams, defense industrial base, emergency services, energy, financial services, food and agriculture, government facilities, healthcare and public health, IT, nuclear, sector-specific agencies, transportation systems, and water and wastewater systems.
Some of those sectors, like financial services and communications, are regarded as having robust cyber and other defenses, while portions of other sectors may be lagging behind.
“We need to do a better job at how sectors interrelate,” Nix said on Thursday, adding that there are “efforts to make sure all those connections are happening.” Creation of NRMC, he said, “will help those conversations along,” and NCCIC staff can help build better relationships for the sharing of threat and protection information.
“Structural awareness” of security issues remains lacking in some critical infrastructure sectors, Nix said, adding that security workforces in some cases are poorly trained.
Owners and operators of critical infrastructure, he said, “have taken a while to realize how critical they are.”
On a separate front, in response to a query about how NRMC will differ in practice from the well- advertised help that DHS’ National Protection and Programs Directorate (NPPD) brings to the private sector in the area of cyber defense, a DHS official told MeriTalk that creation of NRMC reflects a “bifurcation” of NPPD’s cybersecurity and critical infrastructure protection missions.
Those two distinct missions, the official said, are “still being delineated,” but emphasized that the process will end up better defining security issues important to many critical infrastructure sectors–such as supply chain risk–that are faced by a number of sectors that typically do not communicate with each other.
The larger goal, the official said, is fostering greater collaboration between various critical infrastructure sectors and pursuing a more “formulated” approach to achieving that collaboration.
NRMC, the official said, aims to improve on current practice, where sharing of infrastructure protection expertise often happens on a more ad hoc basis between operators who have existing relationships either by industry or by personnel.
The hoped-for result will be better definition for more critical infrastructure entities of pressing security issues that may apply to many of them, but about which they don’t typically share much information or strategy.
The official indicated that NRMC will not require a heavy lift in the way of establishing extensive new operations, because many of the functions the center will need are already resident in NPPD and NCCIC.