This is the second in a series of posts about the Cybersecurity Framework being developed by the Director of the National Institute of Standards and Technology (NIST). This post looks at some of the questions NIST is including in their Request for Information that will be published in the Federal Register in the hopefully not too distant future.
Earlier blog posts include:
As I noted in the earlier post, the Director has posted on the NIST web site a draft of the request for information (RFI) that he intends on publishing in the Federal Register as part of the collaborative effort to develop a consensus supported Cybersecurity Framework as part of President Obama’s Executive Order “Improving Critical Infrastructure Cybersecurity” (EO 13636). Under the terms of that EO the Director of NIST is supposed to publish a preliminary Framework by October 17th, 2013.
The draft RFI addresses three main areas that it wishes the critical infrastructure community to address in providing information to support the development of the Cybersecurity Framework. They are:
• Current Risk Management Practices (pg 4);
• Use of Frameworks, Standards, Guidelines, and Best Practices (pg 5); and
• Specific Industry Practices (pg 6).
Current Risk Management Practices
There are twelve general questions listed in this section that NIST would like the critical infrastructure (CI) community to answer. The first two are sort of generic questions dealing with the challenges associated with cybersecurity; specifically with improving CI cybersecurity practices and with developing a cross-sector, standards based Framework. The remaining questions deal more specifically with how CI organizations are currently dealing with cybersecurity management issues.
While I have mentioned an apparent information technology focus of the EO and the RFI, that focus is much less noticeable here. None of the questions actually mentions IT and they all could clearly include policies and procedures dealing with control system issues. I do think that the vast majority of the responses that NIST will receive for these questions will be IT focused. That realistically reflects the fact that the IT portion of the cyber-community is much larger and has been focusing on cybersecurity issues longer.
Having said that, and given the fact that control system security issues are more likely to lead to catastrophic effects, I would like to suggest that NIST add two control-system specific questions to the mix about current risk management practices:
• Does the organization maintain separate security programs for control systems and information systems or are they combined under a single manager?
• Are there significant differences in the ways in which the security programs for IT and control systems manage the risks associated with those systems?
Use of Frameworks, Standards, Guidelines, and Best Practices
Since the President’s guidance for the development of the Cybersecurity Framework emphasizes the maximum possible use of existing consensus standards this second set of questions will be very important in gathering the data necessary for that development.
Again, the questions in this section are generic enough that they could address both IT and control system security issues. Unfortunately, given the relative size of the IT security and control system security communities within most organizations, I’m afraid that the control-system security side of the problem will not receive the same level of attention in the responses to these questions.
To ensure that the control-system side receives adequate attention I would like to see one question added to this section:
• Does the organization utilize different standards, guidelines and/or best practices in establishing the security requirements for their IT systems and control systems?
Specific Industry Practices
The last set of questions deal with 9 specific areas dealing with current industry practices concerning cybersecurity. Those areas are:
• Separation of business from operational systems;
• Use of encryption and key management;
• Identification and authorization of users accessing systems;
• Asset identification and management;
• Monitoring and incident detection tools and capabilities;
• Incident handling policies and procedures;
• Mission/system resiliency practices;
• Security engineering practices; and
• Privacy and civil liberties protection.
Reading the questions for this section it is clear that NIST considers these 9 areas to be the core practices that will be included in the framework. This makes the inclusion of the first area very important. I would, however, like to suggest that one key area is missing from this list, a personnel surety program though I suppose that could be shoe-horned into the identification and authorization of users.
The IT-centric nature of the program does raise its head unnecessarily in Questions 7 in this section. That question reads:
Do organizations have a methodology in place for the proper allocation of business resources to invest in, create, and maintain IT standards?
Substitute ‘cybersecurity’ for ‘IT’ in that question and I think that you have a more appropriate question for both sides of the cyber house.
It was encouraging to see that NIST was so far ahead of the game with their development of the draft RFI before the ink was dry on Obama’s signature on the EO. Of course they were well aware of the Cybersecurity Framework requirements, probably back in November, or maybe even before. The delay in getting the RFI published in the Federal Register, however, points to the political wrangling that will inevitably make it difficult for NIST to meet their October 17th deadline for the publishing of the preliminary Framework.
And remember, there are other deadlines that will have an impact on the timeliness of NIST’s work. I’ll look at those in some detail in future blogs in this series.