NIST has announced another in a series of workshops
concerning the proposed new version of their Cybersecurity Framework (CSF 1.1).
The 2-day workshop will be held in Gaithersburg, Maryland on May 16th,
2017. The draft
agenda for the workshop was made available this week on their CSF website.
I have not covered CSF 1.1 because the CSF is not
operationally an industrial control system (ICS) security program. There are ICS
components, but this is a cybersecurity management tool, not actually a
cybersecurity tool. I have not seen anything in CSF 1.1 that would change that
assessment.
Having said that, I am mentioning this workshop because it
contains an internet of things (IOT) breakout session on the second day of the CSF
1.1 workshop. The agenda describes it this way:
“Cyber Meets the Physical World: The diverse use and rapid
proliferation of connected devices – typically captured by the “Internet of
Things (IoT)” – creates enormous value for industry, consumers, and broader
society. At the same time, emerging threats, such as last year’s Mirai DDoS
attacks, highlight the critical need to develop and apply guidance to maintain
the cybersecurity of devices and the ecosystems into which they are deployed.
NIST is seeking feedback on how the Framework may be applied to the IoT, both
in terms of the devices themselves, as well as their integration into broader
enterprise and network environments. Topics in this breakout may include:
existing IoT definitions and taxonomies and their consistency with the
Framework; IoT specific threats and constraints; sector-specific considerations
for IoT security; and the integration of IoT-specific threats into the
Framework model.”
Even this description of ‘Cyber Meets the Physical World’
contains no specific reference to industrial control systems, or even really
hints at their existence. This is the thing that continues to concern me about
the CSF. I hope that I am reading too much into this brief description and I
hope that we hear from some attendees with an ICS cybersecurity background that
there was some specific and realistic discussion of ICS specific security
concerns with IOT and how that might be dealt with in the CSF environment.
Early registration
is recommended by NIST due to the limited seating available. Registration
closes on May 9th, 2017.
Posts
No comments:
Post a Comment