This is part of a continuing look at the responses that the National Institute of Standards and Technology (NIST) has received in response to its request for information (RFI) in support of the development of the Framework for Reducing Cyber Risks to Critical Infrastructure as outlined in President Obama’s Executive Order on critical infrastructure cybersecurity (EO 13636). The earlier posts in the series are:
The period for comments ended on April 8th but the NIST web site shows that they continued to accept/publish comment through at least Friday. I will check back again next week to see if they accept any more comments after the end of the very short comment period.
In the week since I last reported on comments on the RFI 190 comments were posted to the NIST web site. I will not have time to review and comment on all of them; that is the prerogative of a gadfly. The NIST staff will have to review each and every one; this is one of the things that will make it difficult for them to publish their draft Cybersecurity Framework in the time frame required by the President’s EO.
Control System Manufacturers
Comments were received from four major control system manufacturers (in order of posting on the site):
• ABB; and
The first three formatted their responses as specific and fairly detailed responses to the questions posed by NIST in their RFI. The Honeywell responses were more focused on their internal cybersecurity responses, though there are some interesting discussions specific to aircraft control systems. Rockwell was certainly the odd-man-out in these vendor responses in that they provided what looked like commercial flyer on cybersecurity; strong on generalities and completely lacking in responsiveness to the questions posed by NIST. The Siemens response most directly addressed the development of the NIST Cybersecurity Framework.
Both Siemens and ABB stress that vendors cannot not solve the cybersecurity problem alone. They both make it clear that any NIST Framework must “set a focus on cyber security awareness, training and developing sustainable cyber security programs within all organizations” (ABB, pg 12). Siemens does, however, offer to be part of a future discussion of about “vulnerabilities that all vendors believe should be absent from new industrial control system products introduced from this point forward” (Siemens, pg 2).
There are plenty of comments from the electric power, gas transmission and water treatment industries. Clearly these industries will be impacted by the voluntary Cybersecurity Framework and would most likely have their current regulatory regimes updated to include some level of mandatory implementation.
As a commenter on chemical security matters, I am more than a little disturbed that the chemical industry is woefully under-represented in these comments. There is nothing from any of the large chemical companies who are clearly leaders in ICS security. In fact the only chemical facility comments come from two of the large industry organizations:
The ACC document is a large-scale response, short on any detailed information beyond the identification of the CFATS program as the main regulatory scheme that effects the chemical industry. They do point out that the CFATS covered facilities are not necessarily critical infrastructure under the definition of the EO. I will add that this is particularly true for those facilities (the vast majority) that are covered simply because of the presence of theft/diversion chemicals of interest.
The API, on the other hand provides specific answers to the questions posed by the RFI. And the API document is not afraid to point fingers. For example, in response to the question about ‘greatest challenges in improving cybersecurity practices, the first response is:
“Suppliers do not provide "Secure by Design" products. This is particularly true in process control environments where vendors have not certified their systems for various cybersecurity tools that would greatly improve our security posture.” (pg 2)
I think that the API documents may overstate the state of cybersecurity activity in current practice. While the major oil companies almost certainly have vigorous security programs I don’t think that comments like the one below apply to all of the companies in the oil industry.
“Cybersecurity is integrated into corporate risk management processes and business units must report deficiencies and provide mitigation plans to senior management. Senior management is also apprised of key risks and remediation efforts periodically.” (pg 3)
The API comments make an important point about physical security being an important part of cybersecurity:
“Many cybersecurity measures can be compromised if basic physical security measures are not in place; for example, access control to software and hardware, and employee and contractor background investigations are essential to comprehensive security programs.” (pg 6)
The oil industry, like most of the US manufacturing organizations, is a trans-global industry, with most companies operating across a number of international boundaries. The API comments consistently reflect this, but the most important international comment is made at the bottom of page 13:
“The Framework needs to be flexible enough to be implementable worldwide, if so desired. Corporate networks extend around the world and companies cannot have one security model in one part and another elsewhere. Operations are extended across the entire network so creating ‘stronger' protections around one country alone (e.g., the U.S.) is not going to provide adequate protection. If we cannot use a consistent set of tools and practices globally, we will be hindered or impeded from efficiently securing our corporation.”
As I mentioned earlier, I will be looking back at the RFI Response web site next weekend to see if any additional comments have been posted. I suspect that there will be. As time permits I will also go back and look at some the comments that I have skipped due to the lack of time, particularly looking for comments that specifically pertain to control system security issues.
NIST has the hard task, going back and reviewing all of the comments and distilling the useful bits from each and then trying to weave them into the research that the organization has almost certainly already started upon.
There are going to be more public meetings, but I suspect that they will be less about receiving general comments or recommendations about what should go into the Framework and more about responses to ideas that NIST plans on including in the Framework.
NIST is obviously working hard at their EO assignment, but the October 17th deadline for having a preliminary version of the Framework published is fast approaching with only five months remaining. Pulling this all together in that time frame will be a major accomplishment.