Responses to NIST RFI – 03-30-13

We are finally starting to see some of the responses that NIST has received from their request for information for the cybersecurity framework that they are developing to support the President’s cybersecurity Executive Order. There are as of today 19 responses on the NIST RFI Response web page. Upon quick review they run a wide gamut of ideas, from very technical presentations on technical security issues to almost political manifestos. And it looks like there is currently about a 10-day delay in getting responses posted to this new web page.

Political Manifesto

One of the most radical proposals comes from Jean C (NIST is not providing contact information with these postings unless it is specifically listed in the document submitted). It begins with the statement “Block all international internet access” and goes downhill from there. I will grant that the suggestions in this document will probably limit the number of successful cyber-attacks (limit not eliminate – Stuxnet attacked isolated systems), but it would also completely isolate important sectors of the US economy from the beneficial aspects of information sharing.

Even with all of the political paranoia inherent in this proposal there are some worthwhile suggestions, though none of them are new. Testing of updates before implementing them on control systems and having appropriately trained cybersecurity personnel are hardly new ideas.

Another political approach to cybersecurity takes a little more technical approach. Piltz suggests that all IP addresses be protected by VPNs. The proposal then drops back down into political controls; fining personnel via payroll deductions for violations of protocols and ‘timewasting’ online and the blocking all internet connections after work hours round out the political approach.

Technical Proposals

There are a number of technical proposals that I am hardly in position to evaluate, but that’s what NIST is for. They range from interface standards, to NASH hardware encryption (impressive diagram), to software security evaluations. There is a broad suggestion as to what the framework should include and a link to a foreign cybersecurity national standard.

Information sharing is an important part of a number of the proposals. The development of a standard format for disseminating attack information and an international experiment on the development of an information sharing protocol are some of the ideas discussed.

There is an interesting discussion of the Cyber Security Evaluation Tool (CSET) developed by ICS-CERT. While much of the discussion describes improvements that could be made to CSET, it is an interesting proposal for using this type of tool for evaluating the cybersecurity of systems.

One of the most comprehensive documents provided to date comes from a well-known source, IBM Security Systems. It is an interesting bullet-point style list of things that might be included in the NIST framework. Many of the items deserve more detailed discussion (particularly the various metrics suggested) while others are more of the ‘apple pie and motherhood’ variety (Identify your key / most critical business processes.). As to be expected from IBM this is an IT-centric proposal.

What’s Missing

While it is still early in the RFI process (typically most comments come in the closing days of the comment period) it is disappointing to not see comments from people in the control system security community. To my mind most of the serious work in protecting critical infrastructure from catastrophic events must be focused on control systems. I would really like to think that some of the well-known figures in this community are planning on putting in their two-cents worth.