Computer viruses, online phishing scams, spyware, ransomware and other technological miscreants continue to plague society and appear to be increasing. For many government and private organizations, especially those small in size, it is challenging to assess their readiness to deal with these threats to their critical cyberinfrastructure. Most organizations have interdependent computers, networks, devices, and/or industrial control systems – and daily tasks to accomplish through the use of those systems. But many organizations lack the on-staff cybersecurity experts needed to confidently self-assess the state of their information technology infrastructure.
Thanks to Purdue Polytechnic’s Jim Lerums and Katherine Reichart, a solution is available for business managers, salespersons, physicians, lawyers, directors and other non-cybersecurity experts who run agencies, offices and businesses. Lerums and Reichart developed the Indiana Cybersecurity Scorecard, and you don’t need a degree in computer and information technology to use it.
Lerums, who graduated with a PhD in information security, and Reichart, who graduated with a master’s degree in computer and information technology, studied under Eric Dietz, director of Purdue Homeland Security Institute and professor of computer and information technology.
The need for cybersecurity awareness
In recent years, the United States was affected by more targeted cyberattacks than any other country, according to Symantec’s 2018 Internet Security Threat Report. In 2018, the Ponemon Institute reported that the average cost of each data breach was $7.91 million.
Attacks affect both public and private sectors. Industry has some of the best tools for cybersecurity, but Lerums noted it’s a government function to pursue and punish cybercriminals. That’s why state governors nationwide have seen the need for public-private partnerships.
“Critical infrastructure sectors are everywhere,” said Lerums. “Think about healthcare, companies that handle money, and power and water utilities. If any became unavailable due to an attack, it would cause major problems – possibly cascading problems.”
Businesses with industrial control systems can be affected physically as well as digitally. A cyber disruption of an industrial control could result in loss of resources, damage to equipment, and/or harm to human health.
“Factories often have machinery with controls designed by my parents’ generation,” Lerums said. “Automated systems with isolated relays and circuits were designed when the Internet didn’t exist and were made to last for twenty years. As companies started connecting those control systems to the Internet, they became subject to the same attacks as modern computers.”
“Factories often have machinery with controls designed by my parents’ generation. As companies connect those systems to the Internet, they become subject to the same attacks as modern computers.” Project origins
In April 2016, after a government agency in another state was hit by a ransomware attack, Indiana formed the Executive Council on Cybersecurity (IECC). Governor Eric Holcomb has guided the IECC to be a cross-sector body of subject-matter experts, including government officials and private-sector, military, research and academic stakeholders, who protect Indiana government and businesses. Security and information technology professionals and officers from Purdue University, Indiana University, the Federal Bureau of Investigation and the Department of Homeland Security were among those who participated. The Council’s goal: Form an understanding of Indiana’s cyber risk profile, identify priorities, establish a strategic framework of the state’s cybersecurity initiatives, and leverage the body of talent to stay on the forefront of the cyber risk environment.
Chetrice Mosley, cybersecurity program director at the Indiana Office of Technology and Indiana Department of Homeland Security, brought one of the Council’s initiatives, the development of a cybersecurity scorecard, to Purdue’s Eric Dietz, who asked Lerums to work on the project.
They started by looking around to see if assessment tools existed that could meet their needs.
“It was like ‘Alice in Wonderland’ at the beginning of our research,” said Lerums. “If you don’t know where you are going, any scorecard will do, and any cybersecurity risk measurement techniques will do.”
They discovered several existing scorecards, based on different standards and different assessment tools. For example, the National Institute of Standards and Technology has a comprehensive framework for assessing cybersecurity. But it’s difficult for small companies with limited expertise or funding to complete the assessment.
They also didn’t find any comparisons of existing tools that measured their effectiveness. Information that might accelerate improvements was difficult to locate.
“We wondered, what can Purdue bring to the state of Indiana?” said Lerums. “We realized we had a lot to offer.”
Purdue’s applicable strengths, Lerums said, were the following:
- The ability to automate the collection and analysis of data about cybersecurity threats and breaches
- Anonymity for those who want to keep details private about their organizations’ breaches
- The ability to update the scorecard over time to address new objectives and changes in threats
- Academic vigor and cybersecurity expertise needed to develop a scorecard
Dietz and Lerums partnered with state officials to create a workable cybersecurity scorecard for Indiana, and Reichart joined the project. They teleconferenced with Mosley every few weeks to set and refine their goals.
The team targeted several objectives for the Indiana Cybersecurity Scorecard. First, the tool should be usable by people who are not cybersecurity experts, enabling them to confidently learn, self-assess, and initiate cybersecurity improvement.
“Using the scorecard is voluntary, so it has to be non-threatening, understandable and educational to managers of organizations of all sizes, especially if they don’t have in-house expertise,” Lerums said. “The scorecard has to be accessible to everyone, including town government officials, non-profits, mechanics, dry-cleaners, and medical and construction workers.” When users identify a potential cybersecurity issue, Lerums said the scorecard was designed to enable self-help and to encourage them to contact professionals or government agencies for assistance when required.
The tool should provide a means of comparing preparedness across public and private sectors of any size within the state who are responsible for critical infrastructure and key resources.
Finally, the scorecard should utilize standards and measurements that support “apples to apples” comparisons between public and private entities. It should also support the state’s participation in external cybersecurity assessments such as the Nationwide Cybersecurity Review, which is reported every other year to the U.S. Congress.
“We hope the Indiana Cybersecurity Scorecard will help nudge a shift from reactive to proactive cybersecurity.”“Through quantifiable measures, the scorecard can be used to compare results before and after cybersecurity initiatives are completed,” said Lerums. “The scorecard can be used to quantify the success of an organization’s initiatives.”
Lerums, Reichart and the team reviewed a variety of existing evaluation methods to identify best practices, including the Baldridge Cybersecurity Excellence Builder, the State of Michigan’s CySAFE IT Security Assessment Tool, the National Cybersecurity and Communication Integration Center and others. Each was reviewed to determine if standards used were already required of Indiana organizations.
“Voluntary completion of questions on the Indiana Cybersecurity Scorecard is easier if an organization has already answered similar questions during other compliance checks,” said Lerums.
They selected the National Institute of Standards and Technology’s Cybersecurity Framework Core as a baseline for developing questions for the Indiana Cybersecurity Scorecard. The Core provides a set of cybersecurity activities, desired outcomes and applicable references that are common across critical infrastructure and key resource sectors, Lerums said. The Core organizes industry standards, guidelines and practices, and it helps facilitate communication about cybersecurity within organizations.
Lerums and Reichart refined the Framework Core’s subcategories, selecting a level of detail to use in the Indiana scorecard that makes it accessible to organizations of every size.
“If each subcategory was addressed in our scorecard, it would have 98 questions,” said Reichart. “Several questions would be challenging to answer, if not impossible, for the operator of a small garage, nursery, law office or other non-information-technology organization.”
Areas of focus from the U.S. Department of Defense’s Cybersecurity Implementation Plan were used to refine the scorecard. The four focus areas are:
Ensuring strong authentication: How do users log in?
Hardening devices: Are devices and systems properly configured and updated?
Reducing the attack surface: How many devices need to be connected to the Internet, and are those devices properly configured?
Detecting and responding to potential intrusions: Can cyber-defenders do their jobs?
Lerums noted the difficulty organizations sometimes have is in hardening their devices. Some systems are old and obsolete, unable to be upgraded to a secure operating system, but remain in use simply because modernizing them is cost-prohibitive.
Scoring the scorecard
After refining the various categories and focus areas, Lerums and Reichart produced a pilot version of the Indiana Cybersecurity Scorecard. It contained 22 questions that were written with minimal jargon to be understandable by a non-technical office manager and short enough to be completable by small Indiana organizations.
Members of the Indiana Executive Council on Cybersecurity each invited one large, two medium, and three small organizations from across eleven critical infrastructure and key resource sectors, for a total of sixty-six organizations, to test the new assessment tool.
“We designed anonymity into the data collection and analysis process,” said Lerums. “We thought that would increase candor in the results and address concerns participants might have had about revealing their cybersecurity weaknesses.”
Useable data from 56 scorecards (an 85% participation rate) during the pilot phase were received from large, medium and small organizations, both public and private, from all the state’s business, critical infrastructure and key resource sectors. The data immediately identified trends that could help identify where organizations could focus resources for cybersecurity improvements. For example, many organizations noted a low level of confidence in the security of “smart” devices like security cameras, thermostats and alarm systems.
Testing, correcting and updating
The Indiana Cybersecurity Scorecard is available for public use via the state of Indiana’s website: https://www.in.gov/cybersecurity/3837.htm
Lerums and Reichart said that the scorecard’s first version will help increase cybersecurity awareness, identify cybersecurity differences between sectors and sizes of organizations, and identify where to focus investments in cybersecurity.
“We hope that the scorecard will help nudge a shift from reactive to proactive cybersecurity,” Reichart said. “We have the opportunity to infer how large and small business will respond to cyber threats. The results will influence where policy will head and how we will spend money.”
The tool is also designed for flexibility. As organizations throughout the state increase their cybersecurity competence, the scorecard’s questions, data collection and analysis can be updated to remain relevant as new cyber threats emerge.
Lerums enjoyed the challenge of developing the tool. “It was a real-time, real-world adventure,” he said. “I’m glad it went into use right