The final version of the NIST cybersecurity framework, released last week, is intended to provide a baseline of IT security best practices for U.S.-based critical infrastructure organizations. Experts, however, questioned whether the document provides the sort of easily understandable and actionable advice those organizations require.
The challenge was that they had to simplify it, but the question is have they oversimplified it?
Chris Coleman, CEO, Lookingglass Cyber Solutions
The development of the framework was originally set in motion a year ago by President Barack H. Obama when he signed Executive Order 13636, which tasked the National Institute of Standards and Technology (NIST) with delivering security guidance to the critical infrastructure community.
Obama deemed the touchstone document necessary based on the increasing number of cybersecurity threats targeting critical infrastructure assets, potentially affecting nation and economic security.
"While I believe today's framework marks a turning point, it's clear that much more work needs to be done to enhance our cybersecurity," said Obama in a statement. "Our critical infrastructure continues to be at risk from threats in cyberspace, and our economy is harmed by the theft of our intellectual property."
A preliminary version of the framework was released in October 2013 and subsequently went through a 45-day review period, during which key stakeholders were able to provide feedback for the final version. Seemingly little changed between the two documents though, apart from cutting much of the detail originally provided on protecting privacy and personally identifiable information.
Breaking down the NIST cybersecurity framework
As for what the document actually contains, the NIST cybersecurity framework is essentially broken down into three sections.
The first, referred to as the framework core, is meant to guide organizations to other accepted standards, such as NIST 800-53, when determining how to manage certain cybersecurity risks. If, for example, an organization decides it needs to protect user credentials, the framework points to specific sections of COBIT 5, ISO 27001, and other standards.
For organizations to assess the maturity of their IT security programs, the framework provides four self-ranking "tiers." At the bottom of the scale are tier-1 organizations, which are characterized as not having "formalized" risk management practices and processes, as well as having little awareness of cybersecurity threats. Tier-4 firms, on the other hand, are known to adapt "cybersecurity practices based on lessons learned and predictive indicators derived from previous and current cybersecurity activities," are generally aware of cyberthreats, and have put the process in place to mitigate them.
The framework also encourages critical infrastructure organizations to create what it refers to as "profiles" -- essentially a summary of its information security program -- meant to help establish a "roadmap for reducing cybersecurity risk" based on an organization's specific business requirements, risk tolerance and security resources. A company's profile would provide a general idea of the current state of its cybersecurity program as well as a target goal that the organization will work toward. The framework encourages businesses to compare profiles in order to identify potential gaps in mitigation strategies. The framework, though, doesn't provide a template for creating these profiles in the vein of the core section.
How to implement, measure the framework
Michael Assante, ICS and SCADA project lead for the SANS Institute, said the time was right to release an all-encompassing cybersecurity framework as critical infrastructure assets across the country are increasingly facing highly targeted attacks. Unfortunately, he added, the framework fails to consider the focused nature of such attacks.
Assante described the guidance in the NIST document as too "loose," noting that he wouldn't even know how to begin implementing it. In particular, the core section of the framework provides organizations with a "big blanket of controls" based on general situations, he said, but never takes into account threats that may be specific to an organization or industry.
For example, Assante said many of the attackers targeting industrial control systems (ICS) rely on establishing connections with command-and-control infrastructures to retrieve sensitive information. To mitigate that risk, organizations should rely on outbound filtering and monitoring to stop that data exfiltration, but he noted that ICS security professionals will not see such prescriptive advice in the NIST framework.
Though he said the wide-ranging approach taken by NIST may be good for promoting discussion, Assante worried that the organizations adopting the framework will simply pursue too many security controls.
"In any kind of standard, language matters, and there's uncertainty in the language," Assante said. "This is where the implementation of things gets hard. You leave a lot of stuff up to interpretation, which means you said for people to do these things, and you don't really know how it's being done or if it's being done in a way that makes a difference."
Chris Coleman, CEO of Baltimore-based Lookingglass Cyber Solutions Inc., agreed that the cybersecurity framework as it stands has perhaps been "watered down." In an effort to achieve consensus, he said NIST may have broadened the framework due to its experience issuing the 800-53 document, which outlines cybersecurity guidance and policies for the federal government.
In his past role as director of cybersecurity for Cisco Systems Inc., Coleman said he was part of a team that attempted to map the NIST 800-53 guidance to the company's technology portfolio for government customers. While he uncovered some good aspects about the document, Coleman found the number of controls in 800-53 -- spanning more than 130 pages -- to be overwhelming, greatly limiting its applicability outside the government.
NIST's efforts at simplifying the cybersecurity framework may have resulted in the opposite effect though, Coleman noted, as the document's guidance will be considered "fairly basic" by any organization with a mature IT security program. Organizations choosing to adopt the framework will either find they have no way to measure themselves against it, he said, or, if they choose to dig into the many existing standards referenced in the document, will instead be buried in the same deluge of controls and information they were perhaps already avoiding.
"The challenge was that they had to simplify it, but the question is, have they oversimplified it? There's still a lot of work for anybody wanting to embrace this framework; they have to do homework on their own to figure out what all these references mean," Coleman said. "Maybe I'm not familiar with all these references, maybe I'm a less-mature organization and I'm not familiar with the ISO, the COBIT or the 800-53, so now I have to go dig through this information and figure out how it applies to me and figure out how to monitor myself against it."
Dave Burg, global and U.S. advisory cybersecurity leader for New York-based PricewaterhouseCoopers, and who participated in the development process of the NIST framework, said such criticisms possibly miss NIST's intentions with the framework.
Burg said the ultimate goal of the document is to provide a security baseline against which all critical infrastructure organizations can measure themselves, not to "start from scratch" and throw out existing standards. Organizations aren't intended to use the framework as the only assessment mechanism, according to Burg, but more as a reference point for objective evaluations of security programs and identifying potential gaps in security programs.
In PwC's 2014 Global State of Information Security survey, for example, Burg noted that 26% of respondents hadn't performed an initial security assessment to determine which cyber-assets need to be secured, skipping one of the basic building blocks of effective enterprise cybersecurity.
"Any time an organization is willing to criticize itself, to assess itself, and to use a baseline to measure itself, I think it's quite important," Burg said. "And will mature, highly capable security programs find gaps that were heretofore unknown? Maybe not, but I think the objective here is to simplify the assessment landscape."
Sticks and carrots
Perhaps surprisingly, none of the experts SearchSecurity spoke with were concerned about the entirely voluntary nature of the current framework, which was one of the most cited criticisms levied during the run-up to its publication. As it stands, adoption of the framework provides no real incentives, while critical infrastructure organizations that choose not to adopt receive no form of punishment.
Burg commented that the NIST process in creating the framework would have been "slowed down" if it had been mandatory and that organizations are better off guiding their own activity in this area.
Assante said the very nature of a Presidential Executive Order took away the "stick" to potentially punish organizations that don't adopt the framework, leaving NIST and other government officials to provide a "carrot" to incentivize implementation. He has heard discussions around insurance rates being lowered based on which tier an organization may be deemed under the framework, but said that "eye-catching guidance" that involves real measurement metrics is required before such proposals would have a chance of succeeding.
Coleman, meanwhile, worried that making such standards mandatory tends to create a "culture of checkbox security," and that the framework as it currently exists isn't ready for the spotlight.
"I don't think it's near mature enough to be able to incentivize anybody to adopt it," Coleman said. "If Lookingglass tried to adopt this today, I'm not sure really what I'm adopting."
Future of the NIST cybersecurity framework
Alongside the release of version 1.0 of the framework, NIST also issued a roadmap that provides some indication as to areas it would like to expand what the agency has described as a "living document" in the coming months and years. Among the areas for which NIST hopes to develop guidance are diversified forms of authentication, automated indicator sharing and supply chain risk management.
Burg found the mention of increased threat information sharing, originally called for in EO 13636, promising based on his discussions with PwC's clients, many of which are intrigued by the idea.
Coleman concurred that more organizations are beginning to find the need for more information sharing, but cautioned that such initiatives face natural barriers to implementation and adoption.
"The challenge with sharing as a whole is that people only share if they believe there is value in the information they can get in return," Coleman said. "And maybe that's just human nature, but that fact is a very difficult cultural challenge."
Assante called for NIST to supplement the standard with more security metrics and to offer the technical advice organizations need to mitigate targeted attacks. Due to his experience going through a "very NIST-organized approach" when working on smart grid standards though, Assante fully understands just how difficult it can be to involve the sort of "busy" experts that could provide that needed input in a "process-driven" endeavor.
"Does NIST have a process that will allow it to deal with the dynamic nature of cyber and to move toward a better state other than just a starting point?" Assante asked. "I'm worried that NIST has to do a consensus process, and that's probably going to shape the future of this framework more than anything."