Thanks to Joel Langill for his TWEET® pointing at a new pre-publication draft of a National Institute of Standards and Technology (NIST) document entitled “Manufacturing Profile Cybersecurity Framework”. The Executive Summary of the document describes its purpose this way:
“This document provides the Cybersecurity Framework implementation details developed for the manufacturing environment. The “Manufacturing Profile” of the Cybersecurity Framework can be used as a roadmap for reducing cybersecurity risk for manufacturers that is aligned with manufacturing sector goals and industry best practices.”
It is not clear when/if NIST intends to publish this document, but it looks like it will be a valuable addition to the documents used to help organizations implement the Cybersecurity Framework (CSF).
There is a brief, if somewhat simplistic, overview of manufacturing systems. It breaks manufacturing down into two broad categories; process-based and discrete-based. It then breaks the process-based manufacturing into two separate processes; continuous and batch. I call this ‘somewhat simplistic’ because many manufacturing organizations use a combination of both systems and processes.
The important missing element in the manufacturing overview is any mention of the different types of cyber-systems used in the manufacturing environment. A wide variety of industrial control systems are used in the control of manufacturing processes, inventory control, safety systems, security systems and environmental controls.
Manufacturing and Business Objectives
The section on manufacturing and business objectives lays out five main areas where cybersecurity affects the manufacturing environment:
• Maintain personnel safety;
• Maintain environmental safety;
• Maintain quality of product;
• Maintain production goals; and
• Maintain trade secrets
The document then ties these categories of cybersecurity concern back into the categories and subcategories of the CSF Core. It highlights each of the subcategories in the Core that apply to each of the manufacturing objectives listed above.
The NIST document then goes on to undertake a lengthy discussion about how risks can be categorized for each of the subcategories in the CSF Core. Then, in Section 7 (Manufacturing Profile Subcategory Guidance) of the document NIST provides detailed proposed language for evaluating the cybersecurity risk profile for the manufacturing segment of an organization. Again this is based upon the categories and subcategories of the CSF Core.
This document currently stands alone on the NIST web site without any indication of how NIST intends to move forward with this draft document. I would hope that NIST will continue their proactive efforts to bring industry into the development of the various documents that support the CSF. The 28 pages of the Manufacturing Profile Subcategory Guidance is too much for a single person (even me – GRIN) to effectively review and provide suggestions for improvement.
I do think that NIST has done another remarkable job of producing a draft document for public review and comments.