Earlier this week the National Institute of Standards and
Technology held their second workshop on the development of the Cybersecurity
Framework required by the President’s cybersecurity executive order (EO
13636). According to various news reports the workshop drew a couple of
hundred participants from various industries and cybersecurity vendors. NIST
has published two of their presentations on their Cybersecurity Framework web
site.
Initial Analysis
According to the workshop
agenda the discussions this week were supposed to be focused on the
results of the request
for information (RFI) that NIST published back February. The week before
the workshop NIST published their initial
analysis of the results of that RFI and one of the two NIST presentations
given at the workshop addressed
that analysis.
The presentation initially explains the methodology that
NIST used to extract, classify and collate the information provided in the over
200 responses to the RFI. Even if nothing else comes out of this framework
process, NIST should develop this process into a formal tool that OMB should
require to be used by all federal agencies when analyzing responses to the
publication of proposed regulations when there are a large number of responses.
It looks like a very effective tool and I urge NIST to publish the resulting
database they developed for this RFI.
The presentation goes on to examine the results of the
response analysis in some detail. The slide presentation does not provide any
more information than is found in the initial analysis
document. Fortunately, NIST web cast these two presentations for those of
us who could not attend the workshop and a copy of that web cast will
be available on the internet within the coming week for those of us who
could not take time off of work to watch the live version.
Framework Development
Schedule
One of the things that everyone is concerned about is how
NIST intends to go about the process of developing the Framework. The other
NIST presentation at the Workshop generally dealt with that topic. After
providing a very generic overview of what NIST expects the framework to be they
provide a time-scale for their portion of the development process (slide 6).
The future dates of interest provided in that time-line include:
• Draft Initial Framework – June 2013
• 3rd Framework Workshop – July
2013
• 4th Framework Workshop –
September 2013
• Publish Preliminary Framework –
October 2013
This is a very aggressive schedule for any federal agency
particularly one without any regulatory experience. I know that the
Cybersecurity Framework is not intended to be a regulation, but it will certainly
have very quasi-regulatory components. Preparing a framework that will hold up
to regulatory scrutiny will be very important in the long run.
Presumably the gap between the 3rd and 4th
workshops will include the development of the final draft of the Preliminary
Framework and the 4th workshop will massage that draft somewhat
before the final preliminary version is published in October.
NIST Framework
Process
After rehashing some of the information about how NIST
analyzed the RFI responses, the presentation starts to look at the process that
NIST intends to use to develop the Framework. They start with a discussion of
how NIST will select the components of the Framework. Slide 15 describes the
selection process.
The most interesting thing about this slide (for the control
system community) is found in paragraph b;
“If a candidate practice, method, or measure does not operate in support
of core a EO objective then it is not considered for inclusion in the
framework.”
Since the cybersecurity EO is IT-centric and does not
mention control systems in any part of its discussion of the Cybersecurity
Framework in paragraph 7 (presumably where the ‘core EO objective’ would be
found), I wonder if this will be used by NIST as a method to avoid including
control system security measures in the Framework. I certainly hope that that
is not the case; a Cybersecurity Framework that does not specifically address
control system security issues will provide no protections against catastrophic
attacks on critical infrastructure.
Moving Forward
It will be interesting to see how the initial draft of the
Cybersecurity Framework deals with control system security issues. At this
point we will just have to wait and see.
Posts
1 comment:
Of course the NISTCSF will deal with control systems issues. :) It's being developed (among other things) in support of the executive order's outcome-based perspective on cybersecurity (which, also of course, would naturally consider control systems since their failure tends to create significantly bad outcomes).
I'm curious what in the EO made you think it was EO-centric?
The level in the security stack at which both the EO and the CSF operate at is higher than the level at which the distinctions between IT/ICS happen and so are inclusive of both without the need to distinguish between the two in policy statements.
Post a Comment