Saturday, September 30, 2017

NIST Publishes CSF Manufacturing Profile

This week the National Institute of Standards and Technology (NIST) published a new implementation document to support the Cybersecurity Framework, the Cybersecurity Framework Manufacturing Profile. In many ways this is similar to the Coast Guard’s draft Framework for Passenger Vessels, so much so that I suspect that the NIST team had some significant input into the CG’s document.

Document Overview


The Profile starts with a brief look at manufacturing systems with a brief overview of the different two very broad types of manufacturing systems (process and discrete) and the types of electronic communications that are employed within the manufacturing and critical infrastructure sectors. It then goes on to provide a quick look at the Cybersecurity Framework, providing some background information about how the Framework was developed and is organized.

Then, as with the CG’s Framework, it provides a brief discussion of the business or mission objectives that are affected by cybersecurity risk. Those objectives (not in prioritized order it is emphasized) (pg8):

• Maintain human safety;
• Maintain environmental safety;
• Maintain quality of product;
• Maintain production goals; and
• Maintain trade secrets.

After providing a series of tables that shows which Framework subcategories support which objective the document proceeds with a discussion of relative potential impact or security levels; Low, Moderate and High. This is includes tables describing impact levels based upon both direct impacts of failure of cybersecurity systems (injury, financial loss, environmental release, interruption of production, and public image) and more generalized impacts based upon products produced or the industry involved.

Finally, we then get to the meat of the Profile; a 26-page table that provides a listing of recommendations for general steps to take for each of the Frameworks sub-categories for each level of impact, along with the appropriate Framework supporting document references for those recommendations.

Commentary


Remembering that the CSF is a risk management or risk communication document and not a technical cybersecurity blueprint, NIST has done a very thorough job of producing a document that is useable by most folks in the manufacturing sector and those critical infrastructure sectors that use industrial control systems. Will people find faults with various specific recommendations? Almost certainly, but that would be true for any document of this type.

I do have one very serious misgiving about this Profile document. The on-line version provides some very good, very specific links to supporting documents. For example, for subcategory DE.DP-5 (Detect, Detection Process #5) the on-line version of the document provides a direct link to CA-2 (Security Assessments) within NIST SP 800-53; very helpful. The problem? Those links are not included in the .PDF document downloaded from the site. I suspect that that is because NIST intends to continually update those links (a thankless task if ever there was one) as the various reference documents are revised. Still, it does limit the effectiveness of the downloaded version of the Profile.


There is a very interesting anomaly in the Profile; there are a number of recommended actions that do not include a reference. For example in ID.GV-1 (Identify, Governance #1) it recommends for all three risk levels: “Ensure the security policy is approved by a senior official with responsibility and accountability for the risk being incurred by manufacturing operations.” This is certainly a good recommendation, but it is interesting that this (and a significant number of similar recommendations) have not been identified in any of the NIST supplied references.

No comments:

 
/* Use this with templates/template-twocol.html */