Obama administration aims for bottom-up approach to creating global standards for protection of IT and critical infrastructure.
Research by Lloyds of London insurer Aegis London warns of a shift in the cyberthreat landscape, away from typical data breaches to attacks on the operational systems that support global critical infrastructure.
Two recent, high-profile incidents — sustained cyberattacks emanating from the Middle East on major U.S. banks, despite numerous measures to stop them, and the wiping of 30,000 hard drives at oil and gas firm Saudi Aramco — serve to illustrate the problem. Both attacks occurred in 2012.
“Our sense is that these incidents are increasing in number,” says Andy Ozment, assistant secretary of the Office of Cybersecurity and Communications at the Department of Homeland Security (DHS). “As infrastructure operators pay more attention and work with our teams, they’re discovering there have been bad guys on their networks already, often for a very long time.”
Kevin Stine, manager of the Security Outreach and Integration Group at NIST
Photo: James Kegley
After attempts to pass legislation to address the threat, President Obama issued Executive Order 13636 in February 2013, directing the National Institute of Standards and Technology (NIST) to develop a voluntary, risk-based cybersecurity framework of industry standards and best practices to help critical infrastructure–related organizations address their cybersecurity risks. After a year of consultation with industry and federal agencies, NIST produced version 1.0 of the Framework for Improving Critical Infrastructure Cybersecurity.
“The framework is meant to be a tool for using an organization’s business drivers to guide cybersecurity activities as part of an overall enterprise risk management strategy,” says Kevin Stine, manager of the Security Outreach and Integration Group at NIST. “It can also be used to express cybersecurity expectations to partners and suppliers. For example, a healthcare organization thinking of cybersecurity in the context of HIPAA, and a financial services organization thinking in terms of financial regulations, may have very different ways of expressing cybersecurity requirements. The framework provides a common language and taxonomy to guide the security discussion across these communities.”
The framework covers 16 critical infrastructure sectors — including public health, transportation, finance, communications, energy and manufacturing — with different needs. Its broad scope has received varying reviews, but there’s little question the framework will have an impact on the way federal agencies address cybersecurity issues, whether across their own infrastructures or those of industries with which they interface.
That said, government officials are only now beginning to examine how the framework will coexist with other cybersecurity controls and standards that agencies must follow. “The federal government is in the process of identifying the best approach to aligning the existing cybersecurity approach with the NIST framework,” says White House spokeswoman Laura Lucas Magnuson.
For its part, NIST suggests four ways that an organization might employ the framework: to conduct a basic review of cybersecurity practices; establish or improve a cybersecurity program; communicate cybersecurity requirements to stakeholders; or identify new or revised references for solutions.
Thanks to its broad focus, analysts say the framework is a useful tool for any agency or organization that needs a systematic strategy for addressing risks, both internally and with partners. “Just about any organization can see itself in the framework,” says Stine, “and use it to identify areas in which it can improve its cybersecurity efforts to better manage those risks.”
Already, certain state governments, including Pennsylvania and Virginia, have discussed plans to adopt the framework.
Though adopting the framework is voluntary, Jeff Greene, former senior counsel to the Senate Homeland Security and Governmental Affairs Committee, doesn’t expect that to be a problem.
“I think we’ll see wide adoption because it has the NIST seal of approval and the process had so much engagement that critical infrastructure participants feel a sense of ownership and investment,” says Greene, who is currently senior policy counsel for Symantec. “We’ve even been using it as a lens to examine everything we do. Smaller organizations will find it invaluable for their own security strategies.”
When NIST and experts familiar with the framework talk about it, they start by describing what it is not.
The Cybersecurity Framework is not a collection of specific controls or technologies, such as NIST Special Publication 800-53 (Recommended Security Controls for Federal Information Systems and Organizations), nor does it apply to any specific industry or industry sector. It’s not mandatory, nor meant to replace any existing policies, procedures and controls. And it’s not a compliance document.
What it is, however, is a methodology for assessing and addressing an organization’s risk of cyberattack.
“NIST 800-53 is a great document, but it’s 460 pages long,” says Bob Gourley, former chief technology officer of the Defense Intelligence Agency and publisher of CTOvision .com. “By understanding their risks and threats better, agencies can use this framework to prioritize and implement that guidance.”
Gourley also sees the framework as a tool for helping agencies automate their threat response.
The framework has three principal parts: core guidance, a set of implementation tiers, and advice for filling gaps in an existing cybersecurity program.
The core comprises five security-related functions that an agency can use to understand its current state: identify, protect, detect, respond and recover. Each is broken down into subsections matched to existing standards or guidelines, such as NIST SP 800-53.
For example, the “identify” function details how an organization can develop an understanding of its business context, risk, systems, assets, data and capabilities in order to focus its security efforts effectively. They achieve this insight, according to the framework, through best practices in asset management, governance, and risk assessment and management, such as ensuring “asset vulnerabilities are identified and documented.” They can identify such vulnerabilities through targeted measures such as NIST SP 800.53 Rev. 4, Security Assessment 2 (CA-2).
The second part of the framework spells out four implementation tiers: partial, risk-informed, repeatable and adaptive. The tiers — “adaptive” being the most advanced — indicate increasing sophistication in risk awareness and applying cybersecurity practices. Organizations are not expected to aim for the top tier, but rather the tier that makes the most sense in light of their risk profile, needs and resources.
The third part, the Framework Profile, helps organizations develop a roadmap for filling in any gaps between their current security profile and their target implementation profile, based on their requirements and risk tolerance.
“A lot of work went into creating the framework, and a lot more will go into figuring out how agencies should use it as they work with companies in their jurisdiction,” says Stephen Lilley, a lawyer at Mayer Brown who has written about the framework.
Generally speaking, agencies can and will employ the framework in different ways. For example, section 10 of the original executive order tasks agencies that regulate critical infrastructure with using the framework to evaluate whether existing regulations are sufficient and to propose fixes if they aren’t. Conversely, agencies may determine that certain regulations are too burdensome, given the risk profile of the industries they work with.
On the other hand, agencies that actually operate critical infrastructure, such as the Veterans Affairs Administration’s network of healthcare facilities, can use the framework to evaluate and improve existing cybersecurity profiles. They can also urge contractors to employ the framework.
“If agencies favor suppliers that make use of the framework, they can help to make it a standard of care,” says Emilian Papadopoulos, chief of staff at Good Harbor Security Risk Management.
In the end, the goal is for the public and private sectors to adopt a similar, agreed-upon approach to cybersecurity. And agencies will play an important role in making it happen.
“The framework is a promising tool for critical infrastructure operators and government suppliers,” says Lilley. “Federal agencies now need to ensure that promise is fulfilled.”