Core Goal #6: Cybersecurity and Critical Infrastructure Protection
All critical government computer networks and systems should be protected from cyber attack. Critical private sector entities including utilities should be included in cyber security planning, training, and exercising. The State should be able to effectively respond to cyber incidents involving public and private networks that impact the well-being of Maryland residents, businesses, and the ability of the State to provide essential government services. Maryland should have a complete and prioritized inventory of critical infrastructure, including assets controlled by the private sector, and a system for securing high-priority targets or populations of interest.
Why Cybersecurity and Critical Infrastructure Protection is Important?
Critical Infrastructure Protection identifies, quantifies, and prioritizes weaknesses in the security of critical infrastructure and key resources (CI/KR) due to threats resulting from natural or man-made hazards. Critical Infrastructure assessments provide security personnel with the necessary information to direct investments toward and implement new protective measures to harden key facilities and critical systems. Computer and information networks face unique and emerging threats in the form of cyber attacks and crimes. Publically and privately owned information networks must be secured to avoid the loss or disruption of critical or life-safety services.
Strategic Plan for Cybersecurity and Critical Infrastructure Protection
6A – All State government computer networks and systems should be protected from cyber attacks and regularly tested for security and safety.
• Coordinate individual state agency network protection plans so that each agency meets a minimum protection standard, addresses physical and electronic assets, and includes an annual security self-audit.
• Lead regular training for state agency Chief-Information-Officers (CIOs) and develop network safety and provide security training materials for the State’s workforce.
• Collect reports of cyber attacks or incidents against state agency networks and create a process to share information with the appropriate IT and public safety stakeholders in a timely manner.
• Conduct random data security compliance assessments for selected agencies throughout the year and, where applicable, include the results of such assessments in agency self-audit reports.
6B – Critical private sector entities including utilities should be included in cybersecurity planning, training, and exercising.
• Identify private sector networks critical to the operations of the State’s information technology infrastructure and share and implement cybersecurity solutions including both technological solutions and training and education of personnel.
•Share alerts and notifications of potential cyber threats with trusted private sector partners.
6C – Maryland should be able to effectively respond to cyber incidents involving public and private networks that affect the well-being of Maryland residents, businesses, and the ability of the State to provide essential government services.
• Develop a cyber incident response plan to coordinate federal, state, local, and private sector activities and manage the risks associated with an attack or malfunction of critical information technology systems within the State.
• Ensure all State agencies’ Continuity of Operations (COOP) Plans include alternate methods of business operations for systems that may be affected by a cyber incident.
6D – Maryland should have a complete and prioritized inventory of critical infrastructure, including assets controlled by the private sector, and a system for securing high-priority targets or populations of interest.
• Develop a single, shared database of Maryland’s Critical Infrastructure, map all qualifying assets, and overlay Suspicious Activity Reports (SARs) to identify patterns and proximity to Critical Infrastructure.
• Create a platform to disseminate alerts and notifications regarding threat intelligence and emergency incidents to Critical Infrastructure owners and operators.
• Prioritize Maryland’s Critical Infrastructure assets and conduct on-site physical security assessments at high-risk facilities and sites.