Saturday, April 22, 2017

NIST Announces CSF 1.1 Workshop – May 16th, 2017

NIST has announced another in a series of workshops concerning the proposed new version of their Cybersecurity Framework (CSF 1.1). The 2-day workshop will be held in Gaithersburg, Maryland on May 16th, 2017. The draft agenda for the workshop was made available this week on their CSF website.

I have not covered CSF 1.1 because the CSF is not operationally an industrial control system (ICS) security program. There are ICS components, but this is a cybersecurity management tool, not actually a cybersecurity tool. I have not seen anything in CSF 1.1 that would change that assessment.

Having said that, I am mentioning this workshop because it contains an internet of things (IOT) breakout session on the second day of the CSF 1.1 workshop. The agenda describes it this way:

“Cyber Meets the Physical World: The diverse use and rapid proliferation of connected devices – typically captured by the “Internet of Things (IoT)” – creates enormous value for industry, consumers, and broader society. At the same time, emerging threats, such as last year’s Mirai DDoS attacks, highlight the critical need to develop and apply guidance to maintain the cybersecurity of devices and the ecosystems into which they are deployed. NIST is seeking feedback on how the Framework may be applied to the IoT, both in terms of the devices themselves, as well as their integration into broader enterprise and network environments. Topics in this breakout may include: existing IoT definitions and taxonomies and their consistency with the Framework; IoT specific threats and constraints; sector-specific considerations for IoT security; and the integration of IoT-specific threats into the Framework model.”

Even this description of ‘Cyber Meets the Physical World’ contains no specific reference to industrial control systems, or even really hints at their existence. This is the thing that continues to concern me about the CSF. I hope that I am reading too much into this brief description and I hope that we hear from some attendees with an ICS cybersecurity background that there was some specific and realistic discussion of ICS specific security concerns with IOT and how that might be dealt with in the CSF environment.

Early registration is recommended by NIST due to the limited seating available. Registration closes on May 9th, 2017.

