When President Barack H. Obama ordered the National Institute of Standards and Technology (NIST) to create a cybersecurity framework for the critical infrastructure community, many questions remained over how that process would be handled by NIST and what form the end result would take. When the final version of the document was released in February 2014, some security professionals still doubted whether the NIST cybersecurity framework would help combat the threats targeting critical infrastructure organizations, but according to Ernie Hayden, an executive consultant with Securicon, the good in the end product outweighs the bad.
"The process was fantastic," said Hayden. "[With the NIST framework] being risk-based, you're trying to take a company and worry about what the real risks are. In other words, worry about the high risks first, then work your way down. Don't try to solve everything and treat everything as equal risk."
In this interview, recorded at the 2014 RSA Conference, Hayden explains why the risk-based approach taken by the framework nullifies one of his greatest fears heading into the NIST process, namely that it would be a compliance-driven document. In particular, Hayden was petrified that the cybersecurity framework would be yet another security checklist that organizations would ignore. Instead, he said the document is focused on results for critical infrastructure providers, and its reliance on existing standards like NIST 800-53 and COBIT 5 should be seen as a positive.
Still, NIST views the cybersecurity framework as only version 1.0 of a living document, and Hayden said he would like to see the framework offer more specific advice in the future, as well as continuing to offer more incentives like the Department of Homeland Security's C-cubed program to spur adoption.
"The first concern is that it is voluntary, and money does speak loudly. Especially if I'm a small wastewater treatment plant, I may not spend money on my security program," said Hayden. "So that could be a negative side of this. … I think we're in the walk stage, not the run stage."
Read the transcript below.
Hi there, I'm Brandan Blevins, with SearchSecurity.com. Thanks for watching this video. Joining me today is Ernie Hayden. Ernie is an Executive Consultant with Securicon. Ernie, it's a pleasure to have you with us.
Hayden: Thank you, Brandan.
Ernie, NIST just recently delivered Version 1.0 of the Cybersecurity Framework, originally ordered by President Barrack Obama, in response to growing critical infrastructure security issues. First, what are your general thoughts on the framework, and the entire NIST process?
Hayden: Okay. Well, I think the first point, is let's go back to the genesis of this, because then, it will help explain my answer. So, February last year, I think it was February 12th, President Obama issued his executive order on improving cyber security of critical infrastructure. And that executive order constituted a lot of different actions, and directions to organizations to do something, okay? That, I think, most people aren't aware of, it's more than just NIST, for example. For example, the Department of Treasury has also been asked to look at such issues as incentives, for improving cyber security, so maybe tax breaks and so forth, but I digress.
The real focus was really on NIST, National Institute of Standards and Technology. Their job was to build the framework. So, what they did, is they took that action, they immediately sent out a request for information, which was, essentially, a series of questions. And then, the request for information was built into a beginnings of a framework. And then, they had five different meetings around the country, to talk about what belongs in it, and so forth. And then, like you said, just a few days ago, 1.0 was issued. The process was fantastic. It really was a publicly facing process. It asked for comments. It essentially encouraged people to provide feedback. According to NIST, it was over 1,000 people had participated, well, 1,000 entities and people, such as academics, governments, individuals.
So, that was really fantastic. The second thing, it was really based on a risk-based framework, that was more of a performance based result. Now, the words I'm just using are very critical. First of all, with it being risk-based, that means that we're trying to take a company, and focus on what their real risks are. In other words, worry about the high risks first, then work your way down. Don't try and solve everything, and don't treat everything as equal risk. The second issue was to be performance based, was really critical, because a lot of us were very concerned that the NIST product was going to be a compliance driven product, fortunately, it wasn't. It's really focused on, "Here's an outcome that we want you to aim for," that's the performance objective, if you will. And then, "Here are some ways to approach that."
For example, you can go look at other standards, and so forth, that are available to help you learn how to get there. But again, it is not a compliance driven focus. And so, when I go to a company, that's trying use the framework, I'm not going to be looking to them, to say "Show me your particular document, that satisfies this requirement." That's compliance cool, that's fine, but on the other hand, is it performance based? Does that document procedure policy really achieve what's being asked for in the framework? So, I think, generally, I've been very impressed. I did offer comments as an individual, but also, in my past employers, to the particular products. And I'm looking forward to how it gets implemented.
There's been a decidedly mixed response to the Cybersecurity Framework, within the security community, especially around what you had mentioned, the reliance on existing security standards, like, NIST 800-53, COBIT 5, and the like. Where do you stand on that issue?
Hayden: Well, [laughs] I'm laughing, because when I first heard of the framework, and I was envisioning what NIST would be doing, my biggest concern was it would go out, and take every standard they can find, shovel it into a giant checklist, and then, hand it out to everybody, and say, "Okay. Here, this is it. This is the framework," which petrified me, because we don't need any more checklists. What we need is guidance, we need to give people a sense of the "how-to's," "How do I achieve that particular result?" Now, for example, like, 800-53, is a good document, relative to business requirements, and federal mandates. But on the other hand, it's really a bunch of rules, rather than how-to's, "How do I get there?" So, that's one example.
The other example is that, let's say, for example, I am trying to do something relative to protecting my electronic security perimeter, okay? Well, I can go back to NERC CIP, and to other documents for guidance, and enlightenment, and education. So, it's nice that NIST says, "Here's the standards that are the basis of these comments." But again, it's a performance based thing, I'm not doing compliance.
I recently spoke to Michael Asante, the ICS Project Leader at the SANS Institute, and his general line of thought seemed to be that the framework doesn't do enough to address the highly targeted attacks, facing industrial control systems. Would you agree?
Hayden: Well, I highly respect Mike. I mean I think the world of him. He's a really good guy, and he's got a really good background from his time at NERC, as well as the National SCADA Test Bed. I won't be inclined to disagree with him, but I think if you look at the basis of the framework building itself, it was really designed for all critical infrastructures, okay? And not designed for just industrial controls. It was designed for governments, commercial buildings, dams, energy, water, waste water treatment, and so forth, okay? So, you're trying to build this particular document that goes across, what is it? Ten or eleven particular critical infrastructures. I hope that the subsequent write ups, the next phases, will be more specific in certain areas. And I'd be honored to work with Mike, to try and help NIST figure out what the industrial control securities aspects should be.
Ernie, considering that this NIST Framework is entirely voluntary, do you think adoption will suffer, and are there any cares that the government could put out there, to encourage that adoption?
Hayden: Well, the government actually is encouraging the adoption. DHS established an entity, if you will, or another directive, I'm not sure what you want to call it. But it's called "CQ," and to be honest with you, I don't recall what "CQ" stands for. But essentially, it's a list of checklists, and capabilities that DHS has put together, to say, "If you want to work on the Framework, you can use our checklist. You can hire us" or not "hire us," excuse me, I think it's voluntary, basically, no extra charge. But "You can bring us in, from DHS, to do some evaluations, and give you feedback, and checklist responses, and so forth." So, I think that's a way to encourage people to realize that that's how they can move forward.
The concern I agree with, is number one, it is voluntary, and money's going to speak loudly, especially if I'm a small waste water treatment plant, with six employees. I may not spend money on my security program. I'm more worried about, you know, customer satisfaction, and keeping the plant running, so to speak, and getting spare parts. So, that can be a negative side of this. I hope that some industries, and companies in particular, will stand up and say, "Okay. We are not obligated to do this, but we're going to do it, to set the example for the rest of the country." That will probably be some larger companies, don't know who. But I’m thinking of some big brands that would stand up and say, "This is what we're going to do for the country."
Do you think the NIST Cybersecurity Framework will be used as a measuring stick among companies? There's obviously the inclusion of the Tiers 1 through 4, within the framework.
Hayden: Yeah, the Tier 1 through 4 reminds me of the old... as a computer maturity model or a computational maturity model, CMM, probably getting the name wrong on that, but it reminded me of that, from years ago, circa mid-90s, and so forth. The Tiers that are offered, range from "We're at the infancy in Tier 1, we barely know what's going on," to Tier 4, which is repeatable, okay? I don't think that's the intent of the NIST document, to have people use that to grade themselves and compare it someone else, okay? I don't think that's the case. I would hope not, because now, I can see people saying, "Well, I'm a three, and you're a two, so I'm better than you are."
But on the other hand, I think it's a gradient to say, "Okay. At least I have a sense of where I am." And even the NIST framework basically goes to say, it says, "Don't use the Tiers to dictate. They're not dictating you, that you have to be a four, what they're saying is, take a look at your risk tolerance, the type of company you are, how big you are, and so forth. And get a sense of where you belong in those Tiers. Maybe you're just a two, and that's where you're going to stay, maybe you're just a three." But I would hope that the larger companies would at least say, "Okay. We have direction, let's go to be at 4."
NIST has repeatedly emphasized that this is only Version 1.0 of this living document. With that in mind, what changes would you like to see be made in the future? For example, NIST had mentioned that they would like to work around encryption.
Hayden: Yeah, they actually have a road map that they've issued, which is not a bad document, just from the standpoint of what their view of the future is. And I just read it the other day, and I think some of the terms in there, that struck me as interesting was "Cybersecurity supply chain improvements, authentication improvements," I think "encryption" was one, you mentioned.
That's good vision, but on the other hand, it’s kind of like we're in the "walk stage," not the "run stage." So, I think what they're going to need to do in the next year, is to say, "Okay. Who's tried it? Who's used it? Who's been successful? What are the use cases that are positive? What are the use cases that are negative? What are the gaps that are identified, that need to be filled?" Then maybe, at the end of the year, then NIST writes a road map, that says, "Okay. Here's the areas that we're trying to fill."
I did notice that one of the things NIST was also advocating, is that at the end of a certain amount of time period, they would turn over the framework to another entity to manage it, with the inference, it could be, like, a standards organization, maybe ISO or someone like that. But they didn't say that explicitly, but it's kind of like, NIST is going to carry it a certain direction, and then move it off to a private entity.
Ernie Hayden, thanks for joining us today.
Hayden: Thanks, Brandan.
And thank you for watching this video. For more of our videos, please be sure to visit SearchSecurity.com/videos.