For Sectors

LRDC Systems provides products and services to assist companies in their design and operation of Critical Infrastructure Protection.

Hardening Their Defenses

Leveraging Existing Practices

Information Technology's cybersecurity knowledge and practice has been suggested as a model for other sector's leveraging outside best practices. An implementation benefit could restrengthen the symbiotic supplier/operator relationship, such as, manufacturer and operator; or equipment manufacturer and retailer. Most critical sectors have existing safety regulations that could, in addition, serve a dual purpose of protection against cyber threats. These security requirements will reduce lifecycle costs and extending the safety requirements will improve the efficiency of security function implementation. Planning to take dual credit for these is just practical common sense.

Cyber Workforce Training

The next generation of scientists, mathematicians, and engineers will need their combined efforts to thwart the emerging cyber threats to our critical infrastructure. Research, curriculumn updates and development, and training are timely efforts.

Situation awareness and cyber workforce training helps maintain protection after a company has separated its systems. The cybersecurity workforce training and skills are more extensive than the training required of all company employees for cyber threat awareness and response. This more in-depth training can help stop emerging threats to the niche areas of digital commerce, cyber-physical systems, and the disigned-in critical infrastructure protection. It is preferred to use a designed-in method for product's hardware and software, but, when not feasible, other fortifying benefits are realized using simple mods to configuration management or assest management processes.

Phased Implementation

In most established critical sectors, it is not economically feasible to become resilient to cyber attacks overnight. Many security experts recommend a phased implementation approach, such as, the 3-steps, 'established,' 'improving,' and 'resilient' (E-I-R).

International Standards, Policies, Practices, and Procedures

There is a well established group of cyber security experts with extensive knowledge of the problem and solutions. Look to the following for sample guidance available.

Aviation Standard Guidance Examples

SAE ARP4761/(EUROCAE ED–135) "Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne Systems and Equipment"

SAE ARP4754A/EUROCAE ED–79 "Guidelines For Development Of Civil Aircraft and Systems"

RTCA DO-178/EUROCAE ED-12 "Software Considerations in Airborne Systems and Equipment Certification"

RTCA DO-278/EUROCAE ED-109 "Guidelines for Communication, Navigation, Surveillance and Air Traffic Management (CNS/ATM) Systems Software Integrity Assurance"

RTCA DO-254/EUROCAE ED-80 "Design Assurance Guidance For Airborne Electronic Hardware

RTCA DO-236 "Minimum Aviation System Performance Standards: Required Navigation Performance for Area Navigation"

RTCA DO-326 "Airworthiness Security Process Specification"

NIST and ISO Security Standard Guidance Examples

NIST SP800-53 "Recommended Security Controls for Federal Information Systems and Organizations"

NIST SP800-82 "Guide to Industrial Control Systems (ICS) Security"

ISO/IEC 27000 "Information Security Management Systems"

Authorization, Identification, Access Control and Monitoring

Establishing access control and the monitoring of critical assets, in the separated business systems and operations systems, is a basis for the subsequent cybersecurity processes to build upon. Planning for authorization, identification, and monitoring systems to be part of the business system or operations systems' access control and monitoring is the starting point for establishing the verification of appropriate user system access. Remote/inside/outside electronic system access, by numerous means, are forms of "user."


Priortizing Critical Practices

To enter the 'established' phase it is necessary to determine both the inventory of the most critical assets and priortize the practices that will identify and protect them.

Fail-safe, fail-secure, failover, and fault-tolerate designs are part of the best practices for the high priority critical asset design to become resilient.

Counterfeit detection and anomoly detection are mechanisms to thwart some of the cyber threats to the global economy. Improving these detection mechanisms is critical to ongoing protection of sector infrastructure.

Existing models for some sectors can be adopted by other sectors to more rapidly establish protection and resiliency capability to cyber threats.

Planning for reporting, feedback, impact analysis, and responses to known and unknown vulnerabilities is part of the task of being resilient to cyber attacks and disasters.

Measuring What Matters

Measuring the protection and tracking of an asset that matters, if lost, counterfeited, or compromised, helps improve the resilience of a sector or company. If you are measuring, then the corresponding process is 'established.' The feedback from these measurements are inputs to the 'improvement' process. One demonstration of resilience is with the measurement evidence of a thwarted attack or recovery.

Asset Identification Management, Two-Way Traceability & Transfer

Once an asset is determined to be critical, a mechanism should exist to track and trace it from cradle to grave, and in the most current scenarios, also in reuse, or application in other areas.

Configuration Management Hardening

Configuration management is the mechanism of establishing, identifying and protecting a system or product's functionality, consistency, requirements, design, operation, environment, version, etc. Most sectors have long established tools to assist with this difficult, critical task, yet, in the global economy, these tools need to be revisited and hardened to reestablish trust.

Research & Development

Even though there exists a large body of knowledge in the field of cyber security, the threat vectors are always adapting and evolving, requiring ever vigilent research and development in the field.


Security Education & Training

The rest of the workforce needs to be aware of the cyber threat and the common prevention mechanisms available to them for appropriate responses, but not to the level of extra training required of the IT specialists or the skills for the cyber workforce.

Asset Receipt & Tracking

After a product leaves the factory, the asset should be received by the operations entity. The coordination and collaboration of sector cyber threat information should be included and continued with other asset information while in operation. The asset metadata should incorporate its priority to enable cyber risk assessment, impact analysis, and response planning priority. Two-way traceability supports resiliency during disaster recovery and cyber attack.

Operations Phased Implementation & Planning

After critical asset identification and protection priortization, comes the phased implementation planning from this basis to transition to a resilient entity with resilient sytems and products.

Operations Incident Reporting & Feedback

Shared responsibility and liability is a potential benefit of sector community incident reporting and feedback mechanisms.

Across Sectors

International Standards Practice & Compliance

A First Priority across sectors that has been advocated and practiced by early adopting sectors is the separation of systems used in a company's business from the company's operations. Some indicate that this should be done first order. Even the most critcal sectors have found, on audit, the separation of the systems to be very difficult to effectively realize. Clearly, other protection practices should be planned simultaneously, assuming this separation.

Measuring What Matters - Metrics

Establishing a measure/audit of effectiveness is always necessary to gauge improvements. Perfect measurement should not be the enemy of sufficient metrics on critical asset protection. Saying what to do and then doing it, is a simple rule to establish the practice of doing the right thing.

Supply Chain Management, Two-Way Traceability & Transfer

The hot topic of the season is supply chain management, and there is a growing body of evidence that is well deserved. Nation states have found financial and other motivation to take hacker techniques to the next level. In the global economy the supply chain necessarily crosses borders. Novel mechanisms are needed to reestablish trust amongst buyer, supplier, and user/operator.

Critical Asset Inventory

Widely considered to be in the top five of imperative security practices is the inventory of critical assets. The entity's inventory control system should allow for storing and retrieval of critical asset metadata. This metadata should incorporate an asset's priority to enable cyber risk assessment, impact analysis, and response planning priority. Two-way traceability of an asset supports resiliency during disaster recovery and cyber attack.

Counterfeit detection and anomoly detection are mechanisms to thwart some of the cyber threats to the global economy. Improving these detection mechanisms is critical to ongoing protection of sector infrastructure.

Awareness & Data Exchange

Shared responsibility and liability is a potential benefit of sector community incident reporting and feedback mechanisms. The Energy Sector has established this model and serves as a base for collaboration guidelines.