This week the National Institute of Standards and Technology
(NIST) published a new implementation document to support the Cybersecurity Framework, the Cybersecurity
Framework Manufacturing Profile. In many ways this is similar to the Coast
Guard’s draft Framework
for Passenger Vessels, so much so that I suspect that the NIST team had
some significant input into the CG’s document.
Document Overview
The Profile starts with a brief look at manufacturing
systems with a brief overview of the different two very broad types of
manufacturing systems (process and discrete) and the types of electronic
communications that are employed within the manufacturing and critical
infrastructure sectors. It then goes on to provide a quick look at the
Cybersecurity Framework, providing some background information about how the
Framework was developed and is organized.
Then, as with the CG’s Framework, it provides a brief
discussion of the business or mission objectives that are affected by cybersecurity
risk. Those objectives (not in prioritized order it is emphasized) (pg8):
• Maintain human safety;
• Maintain environmental safety;
• Maintain quality of product;
• Maintain production goals; and
• Maintain trade secrets.
After providing a series of tables that shows which
Framework subcategories support which objective the document proceeds with a
discussion of relative potential impact or security levels; Low, Moderate and
High. This is includes tables describing impact levels based upon both direct
impacts of failure of cybersecurity systems (injury, financial loss,
environmental release, interruption of production, and public image) and more
generalized impacts based upon products produced or the industry involved.
Finally, we then get to the meat of the Profile; a 26-page
table that provides a listing of recommendations for general steps to take for
each of the Frameworks sub-categories for each level of impact, along with the
appropriate Framework supporting document references for those recommendations.
Commentary
Remembering that the CSF is a risk management or risk
communication document and not a technical cybersecurity blueprint, NIST has
done a very thorough job of producing a document that is useable by most folks
in the manufacturing sector and those critical infrastructure sectors that use
industrial control systems. Will people find faults with various specific
recommendations? Almost certainly, but that would be true for any document of
this type.
I do have one very serious misgiving about this Profile
document. The on-line version provides some very good, very specific links to
supporting documents. For example, for subcategory DE.DP-5 (Detect, Detection
Process #5) the on-line version of the document provides a direct link
to CA-2 (Security Assessments) within NIST SP 800-53; very helpful. The
problem? Those links are not included in the .PDF document downloaded from the
site. I suspect that that is because NIST intends to continually update those
links (a thankless task if ever there was one) as the various reference
documents are revised. Still, it does limit the effectiveness of the downloaded
version of the Profile.
There is a very interesting anomaly in the Profile; there
are a number of recommended actions that do not include a reference. For
example in ID.GV-1 (Identify, Governance #1) it recommends for all three risk
levels: “Ensure the security policy is approved by a senior official with responsibility
and accountability for the risk being incurred by manufacturing operations.”
This is certainly a good recommendation, but it is interesting that this (and a
significant number of similar recommendations) have not been identified in any
of the NIST supplied references.