Logo - Pure Storage

Top Cybersecurity Infrastructure Standards to Know

Cybersecurity Infrastructure Standards

Cybersecurity infrastructure standards exist to protect both you (the company) and your customers, but there are many to keep track of, and they’re always evolving. A best practice for any IT department or cybersecurity team is to stay on top of the most important ones. 

In addition to the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP), which focuses on securing the bulk electric system in North America, numerous other standards and frameworks are designed to protect critical infrastructure across various regulated industries. 

These standards address everything from cybersecurity to physical security to operational resilience in various sectors, including energy, healthcare, finance, transportation, and more. 

Here’s an overview of the most important ones for each sector. 

Energy 

ISO/IEC 27019

ISO/IEC 27019 is a specialized standard for information security management in the energy utility industry. It extends the principles of ISO/IEC 27002 to process control systems used for generating, transmitting, storing, and distributing electric power, gas, oil, and heat. This standard helps energy providers implement a standardized information security management system (ISMS) that aligns with ISO/IEC 27001, ensuring secure operations from the business to the process control level.

Key components include:

  • Scope: Covers process control systems for energy utilities, including generation, transmission, storage, and distribution of electric power, gas, and heat.
  • Implementation: Aligns with ISO/IEC 27001 to provide a comprehensive ISMS framework for energy utilities.

EU NIS2 Directive

The European Union’s NIS2 Directive focuses on enhancing the security of network and information systems for operators of essential services, including energy providers. It mandates risk management and incident response measures to ensure the continuity of critical services.

Key aspects include:

  • Risk management: Requires entities to implement appropriate and proportionate technical, operational, and organizational measures to manage cybersecurity risks.
  • Incident response: Mandates reporting of incidents and preparation for a wide range of threats, including cyberattacks and physical disruptions.

Healthcare

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) includes security and privacy rules designed to safeguard electronic protected health information (ePHI). These rules set standards for securing patient data and protecting privacy in healthcare settings.

Key components include:

  • Privacy rule: Regulates the use and disclosure of protected health information (PHI), requiring patient consent for disclosure to third parties unless involved in treatment, payment, or operations.
  • Security rule: Requires appropriate safeguards to maintain the integrity, availability, and confidentiality of ePHI, including physical, technical, and administrative measures.

HITRUST CSF

The HITRUST Common Security Framework (CSF) integrates multiple regulatory requirements, including HIPAA. It provides a comprehensive approach to managing risk and ensuring compliance in healthcare.

Key features include:

  • Comprehensive framework: Incorporates healthcare-specific security, privacy, and regulatory requirements from frameworks like HIPAA and PCI DSS.
  • Certification levels: Offers three levels of assurance: self-assessment, CSF-validated, and CSF-certified, providing a structured approach to compliance.

Financial Services

GLBA: Gramm-Leach-Bliley Act

The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Modernization Act of 1999, is a U.S. federal law that governs how financial institutions handle the private information of individuals. Its primary purpose is to protect consumers’ personal financial data and ensure transparency in how this data is collected, used, and shared by organizations engaged in financial activities.

GLBA is enforced by the Federal Trade Commission (FTC), federal banking agencies, and state insurance regulators. Non-compliance can result in significant penalties and reputational damage. It was one of the first major U.S. data privacy laws for the financial sector, setting a precedent for transparency, consumer control, and proactive data protection.

Who Must Comply

GLBA applies to a broad range of organizations, including:

  • Banks and credit unions
  • Mortgage lenders and brokers
  • Insurance companies
  • Investment firms and advisors
  • Tax preparation services
  • Money transfer services
  • Real estate settlement providers
  • Certain higher education institutions significantly engaged in financial activities

Key Provisions of GLBA

The Act is structured around three main rules:

1. Financial Privacy 

The financial privacy part of GLBA requires financial institutions to provide clear privacy notices to customers at the start of a relationship and annually thereafter. Notices must explain what information is collected, how it is used, and with whom it is shared. Customers must be given the right to opt out of sharing their nonpublic personal information (NPI) with nonaffiliated third parties. This also limits the use and re-disclosure of NPI by third parties.

2. Safeguards 

The safeguards part mandates that institutions develop, implement, and maintain a comprehensive written information security plan to protect customer data, including:

  • Designating a qualified individual to oversee the program
  • Performing regular risk assessments
  • Implementing and testing security controls
  • Holding employee training
  • Carrying out vendor management and oversight
  • Conducting incident response planning and regular reporting to leadership

3. Pretexting Provisions

This part prohibits the practice of pretexting—obtaining customer information under false pretenses (e.g., social engineering, phishing)—and requires organizations to implement measures to detect and prevent unauthorized access to sensitive information.

PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) is crucial for securing credit card data and transaction systems. It outlines specific security controls to protect sensitive cardholder information.

Key requirements include:

  • Security domains: Covers 12 domains, including encryption, ongoing monitoring, and security testing of access to card data.
  • Compliance: Requires annual validation that security controls are in place, which can include external vulnerability scanning and third-party audits.

ISO/IEC 22301

This standard focuses on business continuity management, which is essential for financial institutions to ensure operational resilience during disruptions. It provides guidelines for developing and implementing business continuity management systems.

Key components include:

  • Business continuity planning: Specifies requirements for planning, establishing, implementing, operating, monitoring, reviewing, maintaining, and continually improving a documented management system.
  • Certification: Offers accredited certification against this standard, demonstrating adherence to good practices in business continuity management.

Transportation and Aviation

TSA Pipeline Security Guidelines

The Transportation Security Administration (TSA) provides guidelines to protect critical pipeline infrastructure in the U.S., similar in intent to NERC CIP for the energy sector. These guidelines aim to enhance the security of pipelines against potential threats.

Key aspects include:

  • Risk-based security program: Recommends establishing a risk-based corporate security program to manage security threats and incidents.
  • Cybersecurity measures: Includes guidelines for pipeline cybersecurity, such as asset management and access control, aligned with the NIST framework.

Annex 17 

The International Civil Aviation Organization’s (ICAO) Annex 17 establishes standards for securing civil aviation against acts of unlawful interference. It sets international security protocols for airports and airlines.

Key components include:

  • Security protocols: Establishes standards for airport and airline security, including access control and surveillance.
  • International compliance: Ensures uniform security practices across international aviation, enhancing safety and security for passengers and cargo.

Water and Wastewater Systems

America’s Water Infrastructure Act (AWIA)

The AWIA requires water utilities to assess and mitigate risks to water systems, including cybersecurity threats. This act emphasizes the importance of securing water infrastructure against potential attacks.

Key aspects include:

  • Risk assessment: Mandates water utilities to conduct risk assessments and implement mitigation measures for identified risks.
  • Cybersecurity focus: Highlights the need for cybersecurity measures to protect water systems from cyber threats.

AWWA G430

The American Water Works Association’s (AWWA) G430 focuses on security practices for water utilities. It provides guidelines for managing security risks and ensuring the resilience of water supply systems.

Key components include:

  • Security guidelines: Offers best practices for securing water utilities, including physical security measures and emergency response planning.
  • Resilience: Aims to enhance the resilience of water supply systems against various threats.

Manufacturing and Industrial Control Systems (ICS)

IEC 62443

IEC 62443 is a comprehensive framework for securing industrial automation and control systems. It’s widely used in manufacturing and other industries to protect against cyber threats targeting industrial control systems.

 Key aspects include:

  • Security requirements: Specifies requirements for securing ICS, including risk assessment and mitigation strategies.
  • Implementation: Provides guidelines for implementing security measures across different levels of the ICS architecture.

NIST SP 800-82

The National Institute of Standards and Technology’s (NIST) Special Publication 800-82 provides guidelines for securing industrial control systems across various sectors, including critical manufacturing. It offers best practices for protecting ICS from cyber threats.

Key components include:

  • Best practices: Offers recommendations for securing ICS, including network segmentation and access control.
  • Sector-specific guidance: Provides guidance tailored to different sectors, such as manufacturing and energy.

Telecommunications

ISO/IEC 27011

ISO/IEC 27011 provides information security management system guidelines tailored specifically for telecommunications organizations. It helps telecom companies implement effective security controls to protect their networks and services.

Key aspects include:

  • Telecom-specific guidelines: Offers guidance on implementing an ISMS in the telecommunications sector, aligning with ISO/IEC 27001.
  • Compliance: Helps organizations comply with international standards for information security management.

5G Cybersecurity Frameworks

Emerging standards for securing 5G networks are being developed by entities like the GSMA and ETSI. These frameworks aim to address the unique cybersecurity challenges posed by the next-generation wireless technology.

Key components include:

  • Unique challenges: Focuses on addressing the specific security risks associated with 5G networks, such as increased complexity and connectivity.
  • International collaboration: Involves collaboration between international organizations to develop comprehensive security standards for 5G.

Cross-sectoral Standards

NIST Cybersecurity Framework (CSF)

The NIST Cybersecurity Framework (CSF) is widely adopted across industries. It focuses on identifying, protecting, detecting, responding to, and recovering from cybersecurity incidents. This framework provides a structured approach to managing cybersecurity risks.

Key components include:

  • Core functions: Includes five core functions: Identify, Protect, Detect, Respond, and Recover.
  • Implementation: Offers a flexible framework that can be tailored to different sectors and organizations.

ISO/IEC 27001

This international standard for information security management systems applies to any organization. It provides a comprehensive framework for implementing and maintaining an ISMS, ensuring that organizations can manage information security risks effectively.

Key aspects include:

  • Global applicability: Applicable to all types of organizations, regardless of size or industry.
  • Certification: Offers accredited certification, demonstrating an organization’s commitment to information security management.

CISA Guidelines

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) offers guidelines and recommendations for securing critical infrastructure across sectors. These guidelines help organizations enhance their cybersecurity posture and resilience against evolving threats.

Key components include:

  • Sector-specific guidance: Provides tailored guidance for different critical infrastructure sectors, such as energy and transportation.
  • Risk management: Emphasizes the importance of risk management and incident response planning in enhancing cybersecurity resilience.

Data Privacy 

GDPR: General Data Protection Regulation

The GDPR applies to any organization—regardless of location—that processes the personal data of individuals in the European Union. Non-compliance can result in fines up to €20 million or 4% of annual global turnover, whichever is higher.

Its core principles are:

  • Lawfulness, fairness, and transparency: Data must be processed legally, fairly, and transparently to the individual.
  • Purpose limitation: Data is collected for specified, explicit purposes and not further processed in a manner incompatible with those purposes.
  • Data minimization: Only data necessary for the intended purpose is collected.
  • Accuracy: Data must be kept accurate and up to date.
  • Storage limitation: Data is retained only as long as necessary.
  • Integrity and confidentiality: Data must be secured against unauthorized access, loss, or destruction.
  • Accountability: Organizations must be able to demonstrate compliance with all these principles.

The GDPR mandates robust technical and organizational measures, including encryption, access controls, and regular audits. Article 32 specifically requires security proportional to the risks, making cybersecurity a legal necessity.

CCPA: California Consumer Privacy Act

CCPA applies to for-profit businesses that collect personal information from California residents and meet certain thresholds (e.g., annual gross revenues over $25 million, or handling data of 50,000+ consumers).

CCPA’s core stipulations include:

  • Right to Know: Consumers must be informed about what personal data is collected, how it is used, and with whom it is shared.
  • Right to Access: Consumers can request access to their personal data.
  • Right to Delete: Consumers can request deletion of their personal information, with some exceptions.
  • Right to Opt-Out: Consumers can prohibit the sale of their personal information, and businesses must provide a clear “Do Not Sell My Personal Information” option.
  • Right to Non-Discrimination: Consumers cannot be treated differently for exercising their privacy rights.
  • Regular Policy Updates: Privacy policies must be updated at least every 12 months.

While CCPA does not prescribe specific security controls, it obligates businesses to implement “reasonable security procedures and practices” to protect consumer data. The California Privacy Rights Act (CPRA) further expands these requirements, including regular risk assessments and cybersecurity audits.

How Pure Storage Helps Companies Comply with Cybersecurity Standards

By providing robust data storage solutions and advanced security features, Pure Storage enables companies to meet regulatory requirements effectively and efficiently.

Here’s how Pure Storage specifically helps:

NIST CSF 2.0 Compliance

The Pure Storage platform is designed to align with the NIST Cybersecurity Framework (CSF) 2.0, which emphasizes building a resilient cybersecurity infrastructure. By integrating with NIST CSF 2.0 guidelines, Pure Storage helps organizations enhance their data protection strategies and adapt to evolving threats. Snapshot-based fast data restore and backups ensure that IT leaders can focus on compliance without worrying about downtime.

Data Encryption 

Pure Storage® FlashArray™ offers FIPS 140-2-certified encryption, ensuring that data at rest is secured to the highest standards. This encryption is transparent to users, requires zero management, and meets or exceeds standards like PCI DSS. These robust encryption capabilities help organizations comply with data protection regulations across industries.

Cyber Resiliency 

Pure Storage cyber resilience solutions allow businesses to recover from cyber incidents quickly, which is crucial for maintaining operational continuity and compliance. By providing a unified data platform with features like SafeMode™ Snapshots and Evergreen//One™, Pure Storage ensures that companies can restore critical data in minutes, not hours or days. This capability is essential for meeting the recovery requirements of various standards.

By leveraging these capabilities, Pure Storage empowers organizations to not only comply with cybersecurity standards but also maintain a robust security posture that protects against evolving threats.

Conclusion

Cybersecurity infrastructure standards are crucial for protecting critical infrastructure across various sectors, including energy, healthcare, finance, transportation, and more. These standards, such as NERC CIP for the energy sector, HIPAA for healthcare, and PCI DSS for financial services, address cybersecurity, physical security, and operational resilience. To comply with these evolving standards, organizations must stay informed and adapt their security strategies accordingly.

Pure Storage plays a significant role in supporting compliance by offering robust data storage solutions with advanced security features. Pure Storage solutions align with frameworks like the NIST Cybersecurity Framework, providing data encryption, cyber resiliency, and recovery capabilities that meet or exceed industry standards. By leveraging Pure Storage solutions, companies can enhance their data protection strategies, maintain operational continuity, and ensure compliance with various cybersecurity regulations across different sectors. This empowers organizations to not only meet regulatory requirements but also maintain a robust security posture against evolving threats.