The National Institute of Standards and Technology (NIST) has released the long-anticipated Framework for Improving Critical Infrastructure Security.
The framework, released on February 12th, provides critical infrastructure operators with a broad blueprint of how to defend IT and industrial control systems networks that handle sensitive and critical tasks for a broad range of industries, including energy, water, and financial services industries.
The 41-page document represents months of collaboration between industry and government and is the result of Executive Order 13636, signed a year ago.
The framework is intended to be a living document with cybersecurity standards and best practices for the private sector to consider in their security operations. It is meant to serve as a companion to existing risk management procedures.
“America’s economic prosperity, national security, and our individual liberties depend on our commitment to securing cyberspace and maintaining an open, interoperable, secure, and reliable Internet,” President Barack Obama said in a statement.
While the framework is “good” overall, it is important to remember that is it just a framework, said Andy Hubbard, senior security consultant at Neohapsis. Organizations get a better idea of where to start, what best practices to implement, and how to prepare for a breach or outage. “Will it be ground breaking? Probably not.” Hubbard said.
Criticism
The framework has three main parts. The Core establishes common outcomes, references, and activities as part of a high-level strategic outline for critical infrastructure operators. The Core provides the information operators need to identify, protect, detect, respond, and recover from an incident.
The Implementation Tier helps security teams determine whether current processes are risk aware, repeatable and adaptive enough to current threats.
The Profile helps operators align standards, guidelines, and practices to the Core to ensure implementation match business needs.
“Each of the Framework components reinforces the connection between business drivers and cybersecurity activities,” the White House said in a statement.
Sections 2.4 (Coordination of Framework Implementation), 3.2 (Establishing or Improving a Cybersecurity Program), and 3.3 (Communicating CyberSecurity Requirements with Stakeholders) are important and could be used by operators in most industries.
“While I would love to see more detail, coordination, communication and establishment/improvement of a framework, just seeing it acknowledged as a part of the required process was a good thing,” Hubbard said, noting that security teams frequently operate in a vacuum.
While the framework overall had no major surprises from drafts seen previously, at least one critic thought the privacy language in the framework was too weak. To get a good consensus on this framework, NIST had to weaken the privacy language “quite a bit,” said Jonathan Sander, strategy & research officer for STEALTHbits Technologies, noting that earlier drafts contained “strong language that would have led to a very prescriptive approach to privacy.”
Considering that most data breaches wind up hurting the individual consumer because it’s their personal information that is exposed, the framework should have focused on protecting their privacy, Sander argued.
“Putting teeth into privacy means forcing businesses to strengthen the security around that private data about citizens…So the question is: are we trading adoption for efficacy? Would we prefer standards that will be adopted but simply not get to the core of the issues?” Sander said.
Incremental change is still better than nothing, but it appears the framework should be treated as a work-in-progress and not as the final end-all, cure-all.
Fahmida Y. Rashid is an accomplished security journalist and technologist. She is a regular contributor for several publications including iPCMag.com where she is a networking and security analyst. She also was a senior writer at eWeek where she covered security, core Internet infrastructure and open source. As well, she was a senior technical editor at CRN Test Center reviewing open source, storage, and networking products.