This is part of a continuing look at the responses that the
National Institute of Standards and Technology (NIST) has received in response
to its request
for information (RFI) in support of the development of the Framework for Reducing Cyber Risks to
Critical Infrastructure as outlined in President Obama’s Executive Order on
critical infrastructure cybersecurity (EO 13636).
The earlier posts in the series are:
The period for comments ended on April 8th but
the NIST web site shows that they continued to accept/publish comment through
at least Friday. I will check back again next week to see if they accept any
more comments after the end of the very short comment period.
In the week since I last reported on comments on the RFI 190
comments were posted to the NIST web site. I will not have time to review and
comment on all of them; that is the prerogative of a gadfly. The NIST staff
will have to review each and every one; this is one of the things that will
make it difficult for them to publish their draft Cybersecurity Framework in
the time frame required by the President’s EO.
Control System
Manufacturers
Comments were received from four major control system manufacturers
(in order of posting on the site):
• Siemens;
• Honeywell;
• ABB;
and
• Rockwell
The first three formatted their responses as specific and
fairly detailed responses to the questions posed by NIST in their RFI. The
Honeywell responses were more focused on their internal cybersecurity
responses, though there are some interesting discussions specific to aircraft
control systems. Rockwell was certainly the odd-man-out in these vendor
responses in that they provided what looked like commercial flyer on
cybersecurity; strong on generalities and completely lacking in responsiveness
to the questions posed by NIST. The Siemens response most directly addressed
the development of the NIST Cybersecurity Framework.
Both Siemens and ABB stress that vendors cannot not solve
the cybersecurity problem alone. They both make it clear that any NIST
Framework must “set a focus on cyber security awareness, training and
developing sustainable cyber security programs within all organizations” (ABB,
pg 12). Siemens does, however, offer to be part of a future discussion of about
“vulnerabilities that all vendors believe should be absent from new industrial control
system products introduced from this point forward” (Siemens, pg 2).
Industry Comments
There are plenty of comments from the electric power, gas
transmission and water treatment industries. Clearly these industries will be
impacted by the voluntary Cybersecurity Framework and would most likely have their
current regulatory regimes updated to include some level of mandatory implementation.
As a commenter on chemical security matters, I am more than
a little disturbed that the chemical industry is woefully under-represented in
these comments. There is nothing from any of the large chemical companies who
are clearly leaders in ICS security. In fact the only chemical facility
comments come from two of the large industry organizations:
The ACC document is a large-scale response, short on any
detailed information beyond the identification of the CFATS program as the main
regulatory scheme that effects the chemical industry. They do point out that
the CFATS covered facilities are not necessarily critical infrastructure under
the definition of the EO. I will add that this is particularly true for those
facilities (the vast majority) that are covered simply because of the presence
of theft/diversion chemicals of interest.
The API, on the other hand provides specific answers to the
questions posed by the RFI. And the API document is not afraid to point
fingers. For example, in response to the question about ‘greatest challenges in
improving cybersecurity practices, the first response is:
“Suppliers do not provide
"Secure by Design" products. This is particularly true in process
control environments where vendors have not certified their systems for various
cybersecurity tools that would greatly improve our security posture.” (pg 2)
I think that the API documents may overstate the state of
cybersecurity activity in current practice. While the major oil companies
almost certainly have vigorous security programs I don’t think that comments
like the one below apply to all of the companies in the oil industry.
“Cybersecurity is integrated into
corporate risk management processes and business units must report deficiencies
and provide mitigation plans to senior management. Senior management is also
apprised of key risks and remediation efforts periodically.” (pg 3)
The API comments make an important point about physical security being an important part of cybersecurity:
“Many cybersecurity measures can be
compromised if basic physical security measures are not in place; for example,
access control to software and hardware, and employee and contractor background
investigations are essential to comprehensive security programs.” (pg 6)
The oil industry, like most of the US manufacturing
organizations, is a trans-global industry, with most companies operating across
a number of international boundaries. The API comments consistently reflect
this, but the most important international comment is made at the bottom of
page 13:
“The Framework needs to be flexible
enough to be implementable worldwide, if so desired. Corporate networks extend
around the world and companies cannot have one security model in one part and
another elsewhere. Operations are extended across the entire network so
creating ‘stronger' protections around one country alone (e.g., the U.S.) is
not going to provide adequate protection. If we cannot use a consistent set of
tools and practices globally, we will be hindered or impeded from efficiently
securing our corporation.”
Moving Forward
As I mentioned earlier, I will be looking back at the RFI
Response web site next weekend to see if any additional comments have been
posted. I suspect that there will be. As time permits I will also go back and
look at some the comments that I have skipped due to the lack of time, particularly
looking for comments that specifically pertain to control system security
issues.
NIST has the hard task, going back and reviewing all of the
comments and distilling the useful bits from each and then trying to weave them
into the research that the organization has almost certainly already started
upon.
There are going to be more public meetings, but I suspect
that they will be less about receiving general comments or recommendations
about what should go into the Framework and more about responses to ideas that
NIST plans on including in the Framework.
NIST is obviously working hard at their EO assignment, but
the October 17th deadline for having a preliminary version of the
Framework published is fast approaching with only five months remaining.
Pulling this all together in that time frame will be a major accomplishment.
Posts
No comments:
Post a Comment