The NIST Cybersecurity Framework
Improving critical infrastructure protection
By Steve Mustard
On 12 February 2013 President Obama issued Executive Order 13636, titled “Improving Critical Infrastructure Cybersecurity.” The executive order instructed the National Institute of Standards and Technology (NIST) to develop a voluntary cybersecurity framework that would provide a “prioritized, flexible, repeatable, performance-based, and cost-effective approach for assisting organizations responsible for critical infrastructure services to manage cybersecurity risk.
The definition of “critical infrastructure” in the executive order is:
“Systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters”
The state of cybersecurity
Given the availability of a variety of standards for cybersecurity management, people have asked why a cybersecurity framework is required. Furthermore, many of these standards have been in existence for many years. Many people believe that the requirements of these standards are being followed, so further similar standards will not help.
There are many publicly available reports on cybersecurity attacks, and there has been a common theme throughout these for the past few years, exemplified by these statistics from Verizon’s breach reports of 2012 and 2013:
- Ninety seven percent were avoidable with basic or intermediate security controls (2012).
- Ninety two percent were discovered by a third party (2012).
- Twenty percent of network intrusions involved manufacturing, transportation, and utilities (2013).
- Seventy six percent of network intrusions exploited weak or stolen credentials (2013).
So despite the availability of standards, it is clear that many organizations are not applying them to the degree required.
The Repository of Industrial Security Incidents produces an annual report that focuses specifically on industrial control systems (ICS). These reports have similar conclusions to those from Verizon. The 2013 annual report stated that 33 percent of all ICS incidents were perpetrated using remote access.
The Verizon report from 2012 has staggering temporal statistics relating to cybersecurity attacks. In 2012, 75 percent of attacks took just minutes to result in an organization being compromised. At the same time, 54 percent of these compromises took months to be discovered (and as noted, 92 percent of these discoveries were not by the organization itself). Even after this lengthy delay, in 17 percent of cases a discovery took months before restoration was achieved, and in 38 percent of cases it took weeks.
The statistics from Verizon cover all sectors and industry types. Within industrial automation-oriented sectors, the situation varies considerably. Many such organizations have mandatory cybersecurity standards (i.e., NERC CIP in the power industry), and their cybersecurity management programs are good. However many organizations that have a potentially high impact on critical infrastructure (e.g., water or wastewater organizations) have a much lower degree of cybersecurity management adoption.
There are many reasons for this situation, and they include:
- lack of awareness in organizations, in particular at the top of the organization
- misunderstanding the level of risk an organization has (e.g., “that only happens to other companies,” “this has never happened before”)
- inability to quantify the risk in likelihood or impact terms, resulting in inappropriate level of investment
- lack of adequate training in cybersecurity good practice, especially in regards to basic controls, such as good password management, backups, and malware protection
The purpose of the NIST Cybersecurity Framework is to help tackle some of these issues. The cybersecurity framework is not another standard. Instead it is a high-level concept that brings together relevant standards and sets them in an appropriate context.
The cybersecurity framework development process
Following the executive order announcement in February, NIST issued a request for information (RFI). It received more than 245 responses from asset owners, product vendors, and consultants from all industry sectors. NIST arranged a series of five workshops from May to November at various locations around the country. At these workshops, about 350 to 400 attendees representing asset owners, product vendors, and consultants debated various aspects of the framework. Between the workshops, NIST reworked this information into new drafts.
The NIST Cybersecurity Framework development process
The initial meetings focused heavily on information technology systems and the protection of data and information. Many attendees were unaware of the specific issues associated with ICS or operational technology (OT) systems where protection is required:
- loss of system availability
- process upsets leading to compromised process functionality, inferior product quality, lost production capacity, compromised process safety, or environmental releases
- equipment damage
- personal injury
- violation of legal and regulatory requirements
- risk to public health and confidence
The Automation Federation, along with a number of asset owners with OT dependencies, raised awareness of these issues throughout the workshop process to ensure the framework properly addresses them.
The final workshop was held at North Carolina State University in Raleigh, N.C. The University is an active partner of the Automation Federation. This relationship, as well as the proximity to the home of ISA, made this the perfect location to hold the final workshop of a very important process that is so critical to the automation industry.
A draft of the cybersecurity framework was issued at the end of October 2013 for public comment. After a 45-day comment period, NIST will review the comments and produce a final version for issue in February 2014. Once issued, the NIST Cybersecurity Framework enters an ongoing maintenance and upkeep cycle to reflect changing circumstances and feedback from users.
What should organizations be doing?
Regardless of how well established an organization’s cybersecurity management program is, it should:
- map out existing cybersecurity processes in the organization to produce a current profile
- review recommended industry, national, and international standards, and identify a target profile that the organization should be following
- perform a gap analysis of the current profile against the target profile to identify actions necessary to achieve the target profile
- review the actions and the target profile and either confirm or revise the target profile and required actions to achieve this revised profile
- raise awareness of cybersecurity management processes and procedures throughout the organization
- identify cybersecurity information-sharing channels within the sector and begin the process of establishing cybersecurity information sharing processes
The NIST Cybersecurity Framework in operation – a continuous process of improvement
In addition organizations should consider engaging (if not already) in the framework development process to help ensure that it remains relevant and valuable.
The Automation Federation has been actively involved in the development of the cybersecurity framework, helping to ensure that a focus is maintained on OT systems and ensuring that appropriate standards, such as ISA/IEC62443 (Industrial Automation and Control Systems Security) are applied.
At the completion of the workshop phase of development, the Automation Federation and its member organizations will work with the White House and NIST on a series of tabletop exercises and seminars across the country to brief industry about the importance of adopting the NIST Cybersecurity Framework. In addition, the Automation Federation’s cybersecurity subject matter experts will continue to be engaged in the cybersecurity framework development process.
ABOUT THE AUTHOR
Steve Mustard (email@example.com) is an industrial control system and cybersecurity consultant. He is a certified automation professional, member of ISA, fellow of the Institution of Engineering and Technology, and member of the Automation Federation’s government relations committee.