This is the second in a series of posts about the
Cybersecurity Framework being developed by the Director of the National
Institute of Standards and Technology (NIST). This post looks at some of the
questions NIST is including in their Request for Information that will be
published in the Federal Register in the hopefully not too distant future.
Earlier blog posts include:
As I noted in the earlier post, the Director has posted on
the NIST web site a draft
of the request for information (RFI) that he intends on publishing in the
Federal Register as part of the collaborative effort to develop a consensus
supported Cybersecurity Framework as part of President Obama’s Executive Order
“Improving Critical Infrastructure Cybersecurity” (EO 13636).
Under the terms of that EO the Director of NIST is supposed to publish a
preliminary Framework by October 17th, 2013.
The draft RFI addresses three main areas that it wishes the
critical infrastructure community to address in providing information to
support the development of the Cybersecurity Framework. They are:
• Current Risk Management Practices
(pg 4);
• Use of Frameworks, Standards,
Guidelines, and Best Practices (pg 5); and
• Specific Industry Practices (pg
6).
Current Risk
Management Practices
There are twelve general questions listed in this section
that NIST would like the critical infrastructure (CI) community to answer. The
first two are sort of generic questions dealing with the challenges associated
with cybersecurity; specifically with improving CI cybersecurity practices and
with developing a cross-sector, standards based Framework. The remaining
questions deal more specifically with how CI organizations are currently
dealing with cybersecurity management issues.
While I have mentioned an apparent information technology
focus of the EO and the RFI, that focus is much less noticeable here. None of
the questions actually mentions IT and they all could clearly include policies
and procedures dealing with control system issues. I do think that the vast
majority of the responses that NIST will receive for these questions will be IT
focused. That realistically reflects the fact that the IT portion of the
cyber-community is much larger and has been focusing on cybersecurity issues
longer.
Having said that, and given the fact that control system
security issues are more likely to lead to catastrophic effects, I would like
to suggest that NIST add two control-system specific questions to the mix about
current risk management practices:
• Does the organization maintain
separate security programs for control systems and information systems or are
they combined under a single manager?
• Are there significant differences
in the ways in which the security programs for IT and control systems manage
the risks associated with those systems?
Use of Frameworks,
Standards, Guidelines, and Best Practices
Since the President’s guidance for the development of the
Cybersecurity Framework emphasizes the maximum possible use of existing
consensus standards this second set of questions will be very important in
gathering the data necessary for that development.
Again, the questions in this section are generic enough that
they could address both IT and control system security issues. Unfortunately,
given the relative size of the IT security and control system security
communities within most organizations, I’m afraid that the control-system
security side of the problem will not receive the same level of attention in
the responses to these questions.
To ensure that the control-system side receives adequate
attention I would like to see one question added to this section:
• Does the organization utilize
different standards, guidelines and/or best practices in establishing the
security requirements for their IT systems and control systems?
Specific Industry
Practices
The last set of questions deal with 9 specific areas dealing
with current industry practices concerning cybersecurity. Those areas are:
• Separation of business from
operational systems;
• Use of encryption and key
management;
• Identification and authorization
of users accessing systems;
• Asset identification and
management;
• Monitoring and incident detection
tools and capabilities;
• Incident handling policies and
procedures;
• Mission/system resiliency
practices;
• Security engineering practices; and
• Privacy and civil liberties
protection.
Reading the questions for this section it is clear that NIST
considers these 9 areas to be the core practices that will be included in the
framework. This makes the inclusion of the first area very important. I would,
however, like to suggest that one key area is missing from this list, a
personnel surety program though I suppose that could be shoe-horned into the
identification and authorization of users.
The IT-centric nature of the program does raise its head
unnecessarily in Questions 7 in this section. That question reads:
Do organizations have a methodology
in place for the proper allocation of business resources to invest in, create,
and maintain IT standards?
Substitute ‘cybersecurity’ for ‘IT’ in that question and I
think that you have a more appropriate question for both sides of the cyber
house.
Moving Forward
It was encouraging to see that NIST was so far ahead of the
game with their development of the draft RFI before the ink was dry on Obama’s
signature on the EO. Of course they were well aware of the Cybersecurity Framework
requirements, probably back in November, or maybe even before. The delay in
getting the RFI published in the Federal Register, however, points to the
political wrangling that will inevitably make it difficult for NIST to meet
their October 17th deadline for the publishing of the preliminary
Framework.
And remember, there are other deadlines that will have an
impact on the timeliness of NIST’s work. I’ll look at those in some detail in
future blogs in this series.
Posts
No comments:
Post a Comment