NIST cybersecurity framework: What it means

Regardless of where one lives in the world, we all know that our country’s national infrastructures are very important to our economies and our national defense. And with incidents like the attacks on the gas pipeline industry and the details revealed in the Madiant Report, nowhere has this point been driven home more than in the U.S.

03/19/2014


You may have heard some buzz in the press about the release of the Cybersecurity Framework Draft from the U.S. National Institute of Standards and Technology (NIST). However, you may not PLE1403_WEB_CyberSecurity_JDMknow much about its background. And you probably don’t know what it may mean to you as a control or security professional. This should give you a high level overview of the genesis of this document and some handy points of reference.

Due to the growing concerns over continued cyber attacks on U.S. national infrastructure – such as the electric grid, water systems, transportation networks, banks/financial institutions, critical manufacturing – President Obama issued Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” on February 12, 2013. This document is fondly referred to as the “EO.”

The EO called for development of a voluntary Cybersecurity Framework to provide a “prioritized, flexible, repeatable, performance-based, and cost-effective approach” for assisting organizations responsible for critical infrastructure services to thus manage cybersecurity risk.

PLE1403_WEB_NEWS_CyberSecurity

Critical infrastructure is defined in the EO as “systems and assets – whether physical or virtual – so vital to the U.S. that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” Example industry sectors and the corresponding Federal oversight agency in the U.S. considered “critical infrastructure” are shown in the table below.

Designated Critical Infrastructure Sectors and Sector-Specific Agencies in the U.S.

As a follow up to the EO, NIST was assigned responsibility for development of the Framework in collaboration with industry feedback. The Framework is intended to provide guidance to an organization on managing cyber security risk. A key objective of the Framework is to encourage organizations to consider cyber security risk as a priority similar to financial, safety and operational risk, while factoring in larger systemic risks inherent to critical infrastructure.

The previous sentence is important – if the framework is accepted, then cyber security risk and considerations need to be included in the day-to-day discussions at your company or organization. As you expand your business, build new facilities, install new equipment and hire new people, cyber security must be part of the management discussion.

The Framework

First, the EO instructed NIST to be the lead in developing the Framework. They did and now you can find the Framework DRAFT document (and supporting information) at the NIST site.

So what does the Framework contain? According to the Cybersecurity Framework Overview, the Framework shall:

  • Include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.
  • Shall incorporate voluntary consensus standards and industry best practices to the fullest extent possible.
  • Shall be consistent with voluntary international standards when such international standards will advance the objectives of this order. 
  • What is the Framework supposed to do? According to the overview documents, the Framework:
  • Shall provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk.
  • Shall focus on identifying cross-sector security standards and guidelines applicable to critical infrastructure.
  • Will also identify areas for improvement that should be addressed through future collaboration with particular sectors and standards-developing organizations.
  • Should provide guidance that is technology neutral and enables critical infrastructure sectors to benefit from a competitive market for products and services that meet the standards, methodologies procedures and processed developed to address cyber risks.

With the guidance above – and with input from industry – the draft of the Framework is intended to provide a common language and mechanism for organizations to:

  1. Describe their current cyber security posture (and a semblance of maturity level)
  2. Describe their target state for cyber security
  3. Identify and prioritize opportunities for cyber security improvement within the context of risk management
  4. Assess progress toward the target state
  5. Foster communications among internal and external stakeholders.

A key aspect of the Framework is that it is not intended to replace an organization’s existing business or cyber security risk-management process and cyber security program. Instead, the organization can use its current processes and leverage the Framework to identify areas to improve its cyber security risk management. Also, the Framework can be helpful to a company that does not have a currently existing cyber security program so they can build in key elements raised by the Framework.

Framework Usage

First of all, take a look at the list of the critical infrastructures listed above. Does your company fall into any of those categories? If not, is your company substantially reliant on any of those key infrastructures for your success and even existence? If the answer to either is YES then I’d suggest you take time to read the draft Framework as it stands and figure out how you can apply it to your current cyber security risk management.

Secondly, acquaint your executive management and board nembers with the Framework. Give them a sense of how your company stands today relative to the Framework Implementation Tiers listed. Use this as a means of highlighting your organization’s “Cybersecurity maturity level.” If you aren’t near the top, use it to highlight the resources (people, time and money) you need to raise your game.

Thirdly, take a hard look at the Framework and “test drive” it as it stands. 

Performance Objectives

When you read the draft Framework, recognize that it is not a “checklist” or a simple “compliance” item to be fulfilled. Nor is it a “how-to” on building a security program (check out ISA/IEC-62443.02.01 for that). Instead the framework provides a set of performance objectives for your cybersecurity risk program to achieve against your prioritized list of key assets.

So, consider the framework to be a nationwide score card for security preparedness. Maybe even an international score card. Either way, you don’t want to be at the bottom of the class with the hackers come calling.

Editor’s Note: This is an excerpt from the Practical SCADA Security blog at Tofino Security.

Ernie Hayden, CISSP, CEH, is an executive consultant with Securicon LLC. His email is Ernie.Hayden@securicon.com. Click here to read the full version of the Practical SCADA Security blog.



No comments
The Top Plant program honors outstanding manufacturing facilities in North America. View the 2013 Top Plant.
The Product of the Year program recognizes products newly released in the manufacturing industries.
The Engineering Leaders Under 40 program identifies and gives recognition to young engineers who...
The true cost of lubrication: Three keys to consider when evaluating oils; Plant Engineering Lubrication Guide; 11 ways to protect bearing assets; Is lubrication part of your KPIs?
Contract maintenance: 5 ways to keep things humming while keeping an eye on costs; Pneumatic systems; Energy monitoring; The sixth 'S' is safety
Transport your data: Supply chain information critical to operational excellence; High-voltage faults; Portable cooling; Safety automation isn't automatic
Case Study Database

Case Study Database

Get more exposure for your case study by uploading it to the Plant Engineering case study database, where end-users can identify relevant solutions and explore what the experts are doing to effectively implement a variety of technology and productivity related projects.

These case studies provide examples of how knowledgeable solution providers have used technology, processes and people to create effective and successful implementations in real-world situations. Case studies can be completed by filling out a simple online form where you can outline the project title, abstract, and full story in 1500 words or less; upload photos, videos and a logo.

Click here to visit the Case Study Database and upload your case study.

Maintaining low data center PUE; Using eco mode in UPS systems; Commissioning electrical and power systems; Exploring dc power distribution alternatives
Synchronizing industrial Ethernet networks; Selecting protocol conversion gateways; Integrating HMIs with PLCs and PACs
Why manufacturers need to see energy in a different light: Current approaches to energy management yield quick savings, but leave plant managers searching for ways of improving on those early gains.

Annual Salary Survey

Participate in the 2013 Salary Survey

In a year when manufacturing continued to lead the economic rebound, it makes sense that plant manager bonuses rebounded. Plant Engineering’s annual Salary Survey shows both wages and bonuses rose in 2012 after a retreat the year before.

Average salary across all job titles for plant floor management rose 3.5% to $95,446, and bonus compensation jumped to $15,162, a 4.2% increase from the 2010 level and double the 2011 total, which showed a sharp drop in bonus.

2012 Salary Survey Analysis

2012 Salary Survey Results

Maintenance and reliability tips and best practices from the maintenance and reliability coaches at Allied Reliability Group.
The One Voice for Manufacturing blog reports on federal public policy issues impacting the manufacturing sector. One Voice is a joint effort by the National Tooling and Machining...
The Society for Maintenance and Reliability Professionals an organization devoted...
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.
Maintenance is not optional in manufacturing. It’s a profit center, driving productivity and uptime while reducing overall repair costs.
The Lachance on CMMS blog is about current maintenance topics. Blogger Paul Lachance is president and chief technology officer for Smartware Group.