Thanks to Joel Langill for his TWEET® pointing
at a new pre-publication
draft of a National Institute of Standards and Technology (NIST) document
entitled “Manufacturing Profile Cybersecurity Framework”. The Executive Summary
of the document describes its purpose this way:
“This document provides the
Cybersecurity Framework implementation details developed for the manufacturing
environment. The “Manufacturing Profile” of the Cybersecurity Framework can be
used as a roadmap for reducing cybersecurity risk for manufacturers that is
aligned with manufacturing sector goals and industry best practices.”
It is not clear when/if NIST intends to publish this
document, but it looks like it will be a valuable addition to the documents
used to help organizations implement the Cybersecurity Framework (CSF).
Manufacturing Overview
There is a brief, if somewhat simplistic, overview of
manufacturing systems. It breaks manufacturing down into two broad categories;
process-based and discrete-based. It then breaks the process-based
manufacturing into two separate processes; continuous and batch. I call this ‘somewhat
simplistic’ because many manufacturing organizations use a combination of both
systems and processes.
The important missing element in the manufacturing overview
is any mention of the different types of cyber-systems used in the
manufacturing environment. A wide variety of industrial control systems are
used in the control of manufacturing processes, inventory control, safety systems,
security systems and environmental controls.
Manufacturing and Business Objectives
The section on manufacturing and business objectives lays
out five main areas where cybersecurity affects the manufacturing environment:
• Maintain personnel safety;
• Maintain environmental safety;
• Maintain quality of product;
• Maintain production goals; and
• Maintain trade secrets
The document then ties these categories of cybersecurity
concern back into the categories and subcategories of the CSF
Core. It highlights each of the subcategories in the Core that apply to each of
the manufacturing objectives listed above.
The NIST document then goes on to undertake a lengthy
discussion about how risks can be categorized for each of the subcategories in
the CSF Core. Then, in Section 7 (Manufacturing Profile Subcategory Guidance) of
the document NIST provides detailed proposed language for evaluating the cybersecurity
risk profile for the manufacturing segment of an organization. Again this is
based upon the categories and subcategories of the CSF Core.
Moving Forward
This document currently stands alone on the NIST web site
without any indication of how NIST intends to move forward with this draft
document. I would hope that NIST will continue their proactive efforts to bring
industry into the development of the various documents that support the CSF.
The 28 pages of the Manufacturing Profile Subcategory Guidance is too much for
a single person (even me – GRIN) to effectively review and provide suggestions
for improvement.
I do think that NIST has done another remarkable job of
producing a draft document for public review and comments.
Posts
No comments:
Post a Comment