Editor's Note: This article was contributed by Ernie Hayden of Securicon LLC, an expert in industrial controls security, especially for the power utility industry.
You may have heard some buzz in the press (both US and International) about the release of the Cybersecurity Framework Draft from the US National Institute of Standards and Technology (NIST). However, you may not know much about its background. And you probably don't know what it may mean to you as a control or security professional. This blog post will give you a high level overview of the genesis of this document and some handy points of reference.
The Executive Order That Gets It all Rollin'
Regardless of where one lives in the world, we all know that our country's national infrastructures are very important to our economies and our national defense. And with incidents like the attacks on the gas pipeline industry and the details revealed in the Madiant Report, nowhere has this point been driven home more than in the US.
So due to the growing concerns over continued cyber attacks on US national infrastructure – such as the electric grid, water systems, transportation networks, banks/financial institutions, critical manufacturing, etc. – President Obama issued Executive Order 13636, "Improving Critical Infrastructure Cybersecurity," on February 12, 2013. This document is fondly referred to as the "EO."
The EO called for development of a voluntary Cybersecurity Framework to provide a "prioritized, flexible, repeatable, performance-based, and cost-effective approach" for assisting organizations responsible for critical infrastructure services to thus manage cybersecurity risk.
Critical infrastructure is defined in the EO as "systems and assets – whether physical or virtual – so vital to the US that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters." Example industry sectors and the corresponding Federal oversight agency in the US that are considered as "critical infrastructure" are shown in the table below.
As a follow up to the EO, NIST was assigned responsibility for development of the Framework in collaboration with industry feedback. The Framework is intended to provide guidance to an organization on managing cybersecurity risk. A key objective of the Framework is to encourage organizations to consider cyber security risk as a priority similar to financial, safety and operational risk, while factoring in larger systemic risks inherent to critical infrastructure.
The previous sentence is important – if the framework is accepted, then cybersecurity risk and considerations need to be included in the day-to-day discussions at your company or organization. As you expand your business, build new facilities, install new equipment and hire new people, cyber security must be part of the management discussion.
Okay – Now Let's Talk About the Framework
So what does the Framework contain? According to the Cybersecurity Framework Overview, the Framework shall:
include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.
shall incorporate voluntary consensus standards and industry best practices to the fullest extent possible.
shall be consistent with voluntary international standards when such international standards will advance the objectives of this order.
And, what is the Framework supposed to do? Again according to the overview documents, the Framework:
shall provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk.
shall focus on identifying cross-sector security standards and guidelines applicable to critical infrastructure.
will also identify areas for improvement that should be addressed through future collaboration with particular sectors and standards-developing organizations.
should provide guidance that is technology neutral and enables critical infrastructure sectors to benefit from a competitive market for products and services that meet the standards, methodologies, procedures and processed developed to address cyber risks.
shall include guidance for measuring the performance of an entity in implementing the Cybersecurity Framework.
So, with the guidance above – and with input from industry – the draft of the Framework is intended to provide a common language and mechanism for organizations to:
1. Describe their current cybersecurity posture (and a semblance of maturity level)
2. Describe their target state for cybersecurity
3. Identify and prioritize opportunities for cybersecurity improvement within the context of risk management
4. Assess progress toward the target state, and
5. Foster communications among internal and external stakeholders.
A key aspect of the Framework is that it is not intended to replace an organization's existing business or cybersecurity risk management process and cybersecurity program. Instead, the organization can use its current processes and leverage the Framework to identify areas to improve its cybersecurity risk management. Also, the Framework can be helpful to a company that does not have a currently existing cybersecurity program so they can build in key elements raised by the Framework.
First of all, take a look at the list of the critical infrastructures listed above. Does your company fall into any of those categories? If not, is your company substantially reliant on any of those key infrastructures for your success and even existence? If the answer to either is YES then I'd suggest you take time to read the draft Framework as it stands and figure out how you can apply it to your current cybersecurity risk management.
Secondly, acquaint your Executive Management and Board Members with the Framework. Give them a sense of how your company stands today relative to the Framework Implementation Tiers listed. Use this as a means of highlighting your organization's "Cybersecurity maturity level". If you aren't near the top, use it to highlight the resources (i.e., people, time and money) you need to raise your game.
Thirdly, take a hard look at the Framework and "test drive" it as it stands. Then provide comments back to NIST as described at their page "Request for Comments on the Preliminary Cybersecurity Framework." Comments must be submitted before December 13, 2013, so you don't have much time.
When you read the draft Framework, recognize that it is not a "checklist" or a simple "compliance" item to be fulfilled. Nor is it a "how-to" on building a security program (check out ISA/IEC-62443.02.01 for that). Instead the framework provides a set of performance objectives for your cybersecurity risk program to achieve against your prioritized list of key assets.
So consider the framework to be a nationwide score card for security preparedness. Maybe even an international score card. Either way, you don't want to be at the bottom of the class when the hackers come calling.
White House Press Release: Executive Order -- Improving Critical Infrastructure Cybersecurity
White House Press Release: Presidential Policy Directive -- Critical Infrastructure Security and Resilience
NIST Presentation: Cybersecurity Framework Overview
Executive Order 13636: Preliminary Cybersecurity Framework