A few weeks ago I prepared a blog for Tofino Security summarizing the key aspects of the DRAFT NIST Cybersecurity Framework. I guess I hit the target because the blog has been posted on a few other sites and referred to in some Tweets.
 |
| (From Cover of National Infrastructure Protection Plan - http://www.dhs.gov/xlibrary/assets/NIPP_Plan.pdf) |
Anyway, as one of my readers, my original submittal for the Tofino blog is posted below.
But, don't forget, NIST has requested comments on the Cybersecurity Framework by Friday, December 13th.
Take care, have a great and safe week, and here is the blog.................Ernie
########################################
You may have heard a bit of buzz in the US national and even
international press about the release of the Cybersecurity Framework Draft
from the US National Institute of Standards and Technology (NIST). However, you may not know about its
background or what it may mean to you as a control systems manager. As such, this is intended to give you a high
level overview of the genesis of this document and give you some points of
reference.
Background
As we realize more and more everyday our national
infrastructure – in Canada, the US or any country for that matter – is very
important to our economies as well as our own national defense. Because of concerns over continued cyber
attacks on US national infrastructure – such as the electric grid, water
systems, transportation networks, banks/financial institutions, critical manufacturing,
etc. – President Obama issued Executive
Order 13636, “Improving Critical Infrastructure Cybersecurity,” on February
12, 2013.
This document is fondly referred to as the “EO.”
The EO also called for development of a voluntary
Cybersecurity Framework to provide a “…prioritized, flexible, repeatable,
performance-based, and cost-effective approach” for assisting organizations
responsible for critical infrastructure services to thus manage cybersecurity
risk.
Critical infrastructure is defined in the EO as “…systems
and assets – whether physical or virtual – so vital to the US that the
incapacity or destruction of such systems and assets would have a debilitating
impact on security, national economic security, national public health or
safety, or any combination of those matters.”
Example industry sectors – and the corresponding Federal oversight
agency -- considered as “critical infrastructure” include[1]:
As a follow up to the EO and PPD, NIST was assigned
responsibility for development of the Framework in collaboration with industry
feedback. The Framework is intended to
provide guidance to an organization on managing cybersecurity risk. A key objective of the Framework is to
encourage organizations to consider cyber security risk as a priority similar
to financial, safety and operational risk while factoring in larger systemic
risks inherent to critical infrastructure.
In other words, cybersecurity risk and considerations need
to be included in the day-to-day discussions at your company or organization as
you expand your business, build new facilities, install new equipment and hire
new people.
Let’s Talk About the
Framework
First, the EO instructed NIST to be the lead in developing
the Framework. As such you can find the Framework DRAFT document
and supporting information at www.nist.gov.
And, what does the Framework contain? The Cybersecurity Framework shall:
- include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.
- shall incorporate voluntary consensus standards and industry best practices to the fullest extent possible.
- shall be consistent with voluntary international standards when such international standards will advance the objectives of this order.
And, what is the Framework supposed to do? The Framework:
- shall provide a prioritized, flexible, repeatable,
performance-based, and cost-effective approach, including information security
measures and controls, to help owners and operators of critical infrastructure
identify, assess, and manage cyber risk.
- shall focus on identifying cross-sector security standards
and guidelines applicable to critical infrastructure.
- will also identify areas for improvement that should be
addressed through future collaboration with particular sectors and
standards-developing organizations.
- should provide guidance that is technology neutral and
enables critical infrastructure sectors to benefit from a competitive market
for products and services that meet the standards, methodologies, procedures
and processed developed to address cyber risks.
And,
- shall include guidance for measuring the performance of an entity in implementing the Cybersecurity Framework.
So, with the guidance above – and with input from industry –
the draft of the Framework is intended to provide a common language and
mechanism for organizations to:
- Describe their current cybersecurity posture
(and a semblance of maturity level)
- Describe their target state for cybersecurity
- Identify and prioritize opportunities for
cybersecurity improvement within the context of risk management
- Assess progress toward the target state, and
- Foster communications among internal and external stakeholders.
A key aspect of the Framework is that it is not intended to
replace an organization’s existing business or cybersecurity risk management
process and cybersecurity program.
Instead, the organization can use its current processes and leverage the
Framework to identify areas to improve its cybersecurity risk management. Also, the Framework can be helpful to a
company that does not have a currently existing cybersecurity program so they
can build in key elements raised by the Framework.
So, What Should You
Do with the Framework?
First of all, take a look at the list of the critical
infrastructures listed above. Does your
company fall into any of those categories?
If not, is your company substantially reliant on any of those key
infrastructures for your success and even existence? If the answer to either is YES then I’d
suggest you take time to read the Framework as it stands and figure out how you
can apply it to your current cybersecurity risk management.
Secondly, acquaint your Executive Management and Board
Members with the Framework. Give them a
sense of how your company stands today relative to the Framework Implementation
Tiers listed. Use this as a means of
highlighting your organization’s “…cybersecurity maturity level…” and if you
aren’t at the top, use it to highlight the resources (i.e., people, time and
money) you need to raise your game.
Thirdly, take a hard look at the Framework and even “test
drive” it as it stands. Be sure to
provide comments back to NIST as described at their page “Request
for Comments on the Preliminary Cybersecurity Framework.” Comments are requested before December 13,
2013.
Final Thoughts
When you read the draft Framework, recognize that it is not
a “checklist” or a simple “compliance” item to be fulfilled. Instead it provides a set of performance
objectives for your cybersecurity risk program to achieve for your prioritized
list of key assets. But also, it is not
a “how-to” on building a security program.
So, even for our Canadian friends, be sure to take time to
look the Framework over.
[1]
From the corresponding President Policy Directive (PPD) 21 “Critical
Infrastructure Security and Resilience” that was issued at the same time as the
EO. Link: http://www.whitehouse.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil
