We all know that our country's critical infrastructure is vitally important to our national defense and economy, as well as our ability to ensure that global economic transactions are not only sustained but also enhanced.
NIST's guidance will be most beneficial to small or less-regulated entities that are trying to get a foothold on security awareness.
What the general public does not realize is critical infrastructure in the U.S. is vulnerable to any number of attacks on a daily basis. To address those security concerns, on Feb. 12, 2013, President Barack Obama issued Executive Order 13636, "Improving Critical Infrastructure Cybersecurity," which called for the development of a voluntarycybersecurity framework to provide a "prioritized, flexible, repeatable, performance-based, and cost-effective approach" for helping organizations responsible for critical infrastructure services to manage cybersecurity risk.
While different federal agencies were tasked with developing elements to support improved critical infrastructure security, the National Institute of Standards and Technology (NIST) bore the brunt of the assignment, namely the development of a cybersecurity framework in collaboration with industry feedback and commentary.
The NIST cybersecurity framework was successfully delivered to critical infrastructure providers and the public in February of this year, but questions linger as to the content of the framework and just how it can be used to improve security programs. In this tip, we'll walk through the basics of the framework, advise on the best ways to get started implementing it and explain just how it differs from other security standards.
NIST cybersecurity framework 101
The NIST framework is intended to provide guidance, but is not a compliance-focused document. The key objective is to encourage organizations to consider cybersecurity risk as a priority similar to financial, industrial/personnel safety and operational risks, while also factoring in larger systemic risks inherent to critical infrastructure.
Crucially, the framework intends to insert cybersecurity risk and considerations into the day-to-day discussions taking place at organizations around the country. Hence, as businesses expand, new facilities are built and new people are hired, cybersecurity must now be part of the daily management dialogue.
As for what exactly is included in NIST's guidance, the framework can essentially be broken down into three key parts: the framework core, the framework implementation tiers and the framework profiles. The intent is for each framework component to reinforce the connection between business drivers and cybersecurity activities.
NIST describes the framework core as a "set of cybersecurity activities, desired outcomes and applicable references common across critical infrastructure sectors." The core includes five concurrent and continuous functions -- identify, protect, detect, respond and recover. When combined, these functions provide a high-level, strategic view of the lifecycle of an enterprise's management of cybersecurity risk.
The framework implementation tiers are meant to "provide context on how an organization views cybersecurity risk and the processes in place to manage that risk." It's perhaps easiest to think of these tiers as being akin to the Capability Maturity Model (CMM) from the early 1990s, but with a bent toward cybersecurity maturity. The tiers describe the degree to which an organization's cybersecurity risk management practices exhibit the characteristics defined within the framework. For example, a Tier 1 company is ranked as "Partial," meaning it possesses "limited awareness of cybersecurity risk at the organizational level." On the other end of the spectrum, Tier 4 organizations are the most evolved based on the framework's guidance, and are generally adaptable based on lessons learned and other predictive indicators. These tiers reflect a progression from informal, reactive responses to cybersecurity threats to approaches that are agile, proactive and risk-informed.
Lastly, the framework profile is meant to serve as a point of alignment between the functions, categories and subcategories laid out in NIST's guidance and an organization's business requirements, risk tolerance and resources. The intent of a profile is to help companies establish a roadmap for reducing cybersecurity risk that is aligned with organizational and infrastructure sector goals, considers legal and regulatory requirements, reflects industry best practices and echoes management's priorities and risk appetite. Framework profiles can be built to describe the current state of an organization's security program and then when compared to the desired state reveal gaps to be addressed in future improvement plans and roadmaps.
Getting started with the NIST cybersecurity framework
At the most fundamental level, the framework can help an organization identify, assess and manage its cybersecurity risk. As a result, NIST's guidance will be most beneficial to small or less-regulated entities that are trying to get a foothold on security awareness, and less informative for organizations with a large, focused IT security program.
The framework can help a company tasked with protecting critical infrastructure to improve its security posture in a number of ways, including but not limited to:
- Determining the current level of cybersecurity practices by developing a profile
- Establishing a cybersecurity program
- Communicating cybersecurity requirements with stakeholders such as employees, suppliers, customers, etc.
- Identifying opportunities for new or revised cybersecurity standards, policies and procedures
- Ensuring privacy and civil liberties are addressed during cybersecurity operations
The Department of Homeland Security's (DHS) newly developed Critical Infrastructure Cyber Community Voluntary Program (C3), pronounced "C-cubed," can serve as an excellent starting point for an organization trying to assess its current security practices. C3 now offers some self-service tools to help organizations conduct self-assessments of security programs, for example, as well as provide outreach and messaging to CEOs, other executives and employees.
One of the best options among those tools is the Cyber Resilience Review (CRR), which offers a no-cost, voluntary, non-technical assessment of an organization's operational resilience and cybersecurity practices. The CRR can be conducted either as a self-assessment or an on-site assessment facilitated by DHS cybersecurity professionals.
At a minimum, take time to review the CRR tools and checklists that can help kick-start a company's cybersecurity profiling activities. Then, maybe start with a narrow area of the business and do a simple inspection with interviews to see how your company's security activities compare to the best practices in the NIST framework.
Key takeaways and an industry example
The most powerful aspects of the framework are that it is voluntary and performance-based, both of which represent substantial paradigm shifts for many cybersecurity programs. In other words, companies are not obliged to do anything with the framework. However, the U.S. government and NIST have provided several excellent tools to help organizations get started with cybersecurity programs and assessments. Keep in mind the focus is not on whether a company complies with a regulation or rule-set, but instead on whether its activities are consistent with a good, solid security program. Again, this is a major differential when compared to assessment-focused cybersecurity schemes like PCI DSS or FISMA.
An organization called the Institute of Nuclear Power Operations (INPO) has been doing performance-based assessments of global nuclear power plants since about 1980, when the organization was founded following the Three Mile Island accident. INPO assessors use a document called Performance Objectives and Criteria (PO&C) to conduct nuclear safety assessments of commercial nuclear power plants. These PO&Cs are similar to the NIST cybersecurity framework in that the focus is on how an organization performs relative to the standards and not whether it complies.
Although this shift may seem a bit subtle, the difference turns out to be substantial in real-world scenarios. Ultimately, just having a document that complies with a regulation does not mean that the document actually "works," hence why the focus on performance makes sense.
Take action now
The NIST cybersecurity framework is a huge step forward in helping guide the critical infrastructure sectors toward improved cybersecurity. It is not an iron-fisted approach, but one that gives all entities the necessary tools and references to help those organizations realize what they need to do to become more secure. The cybersecurity framework is a "living document," according to NIST, so we can expect changes in the next year based on users' feedback. NIST is planning a workshop on this subject before the end of 2014, and in fact, the non-regulatory government agency has already issued a roadmap that lays out the expected next steps in improving the framework, including expanding guidance into areas such as supply chain risk management, authentication and automated metrics sharing.
This is just the beginning for this long-anticipated document, but critical infrastructure organizations need to "jump in" now and start assessing where their security programs stand against the framework, and begin making plans to address the gaps. It's sound guidance, and it can only help make organizations more secure.
About the author:
Ernest N. "Ernie" Hayden, CISSP, CEH, is an experienced critical infrastructure protection/information security professional and technology executive providing global thought leadership for more than 13 years in the areas of critical infrastructure protection, cybercrime, cyberwarfare, industrial controls security and business continuity/disaster recovery. This is in conjunction with his work in the areas of leadership and technical business management, which he has been focused on since 1974. Based in Seattle, Hayden devotes much of his time to critical infrastructure protection and analysis, industrial control systems security, energy and utility issues including smart grid security, and studying the security of these systems against contemporary threats. Hayden is an Executive Consultant with Securicon and has held roles as a Global Managing Principal at Verizon and as an information security officer/manager at the Port of Seattle, Group Health Cooperative (Seattle), Seattle City Light and Alstom ESCA. Submit questions or comments for Ernie Hayden via email at firstname.lastname@example.org.