February 25, 2014
Just over a year ago, President Barack Obama signed an Executive Order (EO) calling for increased cybersecurity for the critical infrastructure of the United States.1 On the anniversary of this EO’s release, the National Institute of Standards and Technology (NIST) issued the final version of its Framework for Improving Critical Infrastructure Cybersecurity (Framework) and a companion NIST Roadmap for Improving Critical Infrastructure Cybersecurity (Roadmap). The Framework and Roadmap are the result of a 12 month development process which included the release of multiple versions for public comment and working sessions with the private sector and security stakeholders.
As defined by the EO, “critical infrastructure” consists of “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” This definition encompasses IT and Industrial Control Systems (ICS) that are both physical and digital – and includes processes, not just their automation. Therefore, public and private owners and operators as well as other entities all have a role in securing the nation’s critical infrastructure. An overarching objective of the EO is to provide these organizations with a consistent and iterative approach to identifying, assessing and managing cybersecurity risk. Application of the Framework is technology neutral.
Overview of the Framework
The Framework is a risk-based approach to managing cybersecurity risk. It is composed of three components: the Framework Core, the Framework Implementation Tiers, and the Framework Profile. Each of these components reinforces the connection between business drivers and cybersecurity activities. We provided an overview of each component, as described in a preliminary framework draft released in August 2013 to provide the basis for the last collaborative workshop before finalization.2
The most significant change in the final Framework from prior working versions is the removal of a separate privacy appendix because it was viewed as being overly prescriptive and costly to implement. In lieu of that prescriptive approach, a more general set of recommended privacy practices was provided for companies to consider in view of their specific circumstances, e.g., size, degree of cybersecurity risk or current cybersecurity sophistication. Thus the Framework acknowledges there is no one-size-fits-all.
The Framework relies on a variety of existing standards, guidelines and practices. Building on these existing standards, guidelines and practices, the Framework provides a common taxonomy and mechanism for industry and government organizations to:
- Describe their current cybersecurity posture;
- Describe their target state for cybersecurity;
- Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process;
- Assess progress toward the target state;
- Communicate among internal and external stakeholders about cybersecurity risk and posture.
Although the Framework is focused on the U.S., it provides a model for international cooperation in strengthening critical infrastructure – and even uses components of many international standards in its composition. It emphasizes using business drivers to guide the advancement of cybersecurity activities and integrating cybersecurity into an organization’s risk management framework. In addition, it emphasizes a desire to protect civil liberties and privacy; however, it does not provide an approach for integrating that objective into cybersecurity programs.
As noted earlier, the Framework consists of three components. The first, the Framework Core, is a set of best practices for cybersecurity activities, outcomes and references to assist in developing an individual organization’s profile. The Core consists of five concurrent and continuous functions – Identify, Protect, Detect, Respond and Recover. When considered together, these five functions provide a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk. The Framework then provides references to existing standards, guidelines and practices an organization can adopt.
The second component, Framework Implementation Tiers, provides a mechanism to understand the characteristics, risk management rigor and level of the implementation/approach to managing cybersecurity risk. There are four tiers ranging from “Partial” (Tier 1) to “Adaptive” (Tier 4). Interestingly, the Framework specifically says the four tiers are not meant to define the maturity level of cybersecurity. Given that the four tiers reflect a progression from informal, reactive responses to approaches that are agile and risk-informed, they provide context on how an organization views cybersecurity risk and the processes in place to manage that risk considering its current risk management practices, threat environment, legal and regulatory requirements, business/mission objectives and organizational constraints.
The third component, the Framework Profile, assists organizations in articulating their current state and target cybersecurity activities. Comparison of Profiles (e.g., the current state and desired state) may reveal gaps to be addressed to meet cybersecurity risk management objectives. An action plan to address these gaps can contribute to a roadmap for measuring progress as the organization advances toward its desired state. Prioritization of gap mitigation is driven by the organization’s business priorities and requirements (including cost-effectiveness and innovation), risk tolerances and available resources. This risk-based approach enables an organization to gauge resource estimates (e.g., staffing, funding) to achieve cybersecurity goals in a cost-effective, prioritized manner. Profiles can be used to conduct self-assessments and communicate within an organization or between organizations.
Observations on the Framework
Overall, the Framework is a helpful document for those organizations that have not spent much time focusing on information or industrial control security. For those that have, it is completely consistent with all efforts we have seen in our work in the security and privacy space. We do not see anything in the Framework that is particularly “new,” although the Categories and Sub- Categories in Appendix A may provide an area or two a company had not thought of yet. We also find the emphasis for balancing a cybersecurity program with preserving civil liberties and privacy to be important and timely. As the Framework is intended to be a living document, it is our expectation that cybersecurity controls and procedures will evolve and be included in future versions. The downside is that whatever is published in any version of the Framework will also be available to those parties who are trying to circumvent established controls. The good news is that the Framework serves to raise the level of awareness of the issue and need for action beyond the headlines.
The new Framework is a risk-based approach to information security, an approach we support and have been articulating for some time. Below are some observations regarding the Framework:
- The approach to leveraging the Framework is identical to the way many organizations perform program assessments today:
- Define the business priorities and the scope of the program;
- Define the assets in scope and the threats to them;
- Create an “As Is” or baseline profile of the organization’s security program implementation;
- Perform a risk assessment of the organization’s readiness;
- Create a “To Be” statement/objective for the security program;
- Define gaps between the “As Is” and “To Be” states, assess their impact and prioritize remediation activities; and
- Implement the action plan.
- Organizations familiar with risk management programs like ISO 31000, ISO 27005 and NIST 800-39 and/or information security programs like ISO 27001/2 and NIST 800-53 will find the approach and nomenclature familiar. For those organizations currently evaluating their security programs against these standards, they can easily apply this Framework instead as they assess their cybersecurity profile. However, the Framework does not go to the control level; therefore, ISO 27002 (for example) will still need to be used to address those requirements.
- The Framework is voluntary. It is intended to complement an organization’s existing risk management program and allows it to do whatever it determines is correct and appropriate in the circumstances. We believe this makes great sense.
- There is a reference to organizations including the “feasibility to implement” as a criteria for selecting their specific organizational goals for cybersecurity, which allows for flexibility and discretion.
- There is a suggestion for organizations to progress past Tier 1 (Partial). That objective appears to be a reasonable one. It is equivalent to what we would recognize as being at least “Risk Informed,” i.e., Stage 2 or 3 on the Capability Maturity Continuum.
- Appendix A to the document provides excellent examples of the specific elements that should be included in a cybersecurity program. The Informative References further assist the organization in linking the Framework to current actions or more familiar standards and guidelines. This linkage is very helpful.
- It is possible that over time, the Framework could be used as a way to communicate the security levels of an organization and provide a basis for certifications:
- Perhaps the Framework will replace the need for audits and other methods of intraand extra-company assessments as the focus is directed to certifications. Like other ISO and NIST standards, the Framework may need to mature before it becomes universally accepted.
- Because there are no specific controls identified or “audit procedures” to follow, the assignment of tiers is not an objective process. To illustrate, ISO 27001 needed its control-specific companion ISO 27002 before meaningful certification could be performed.
- They say it takes two to tango. Even if a company executes the development of a profile, there has to be another organization willing to accept it. Because the Framework is new, we are at the beginning of the “acceptance curve.” Although capable of being accepted globally, there may be some resistance to a U.S.-based Framework in other countries and regions.
Cybersecurity threats exploit the increased number of vulnerabilities that result from the growth in complexity and connectivity of critical infrastructure systems, placing the security, economy, and public safety and health of the United States (or any other country) at risk. Mitigating cybersecurity risk not only introduces new investment costs that need to be considered by management, but insufficient mitigation plans can also negatively impact revenues and cause customer loss and severe reputation damage that all impact the bottom line.
Created through collaboration between government and the private sector, the new Framework uses a common language to address and manage cybersecurity risk in a cost-effective way based on business needs without placing additional regulatory requirements on businesses. Use of the new Framework is the next step to improve the cybersecurity of U.S. critical infrastructure, providing guidance for individual organizations while increasing the cybersecurity posture of the nation’s critical infrastructure as a whole. The Framework is not a one-size-fits-all approach to managing cybersecurity risk for critical infrastructure. Organizations will continue to have unique risks – different threats, different vulnerabilities and different risk tolerances – and how they implement the practices in the Framework will vary accordingly.
The Framework is a dynamic document that will continue to be updated and improved as industry and government organizations monitor progress and provide feedback on implementation results. As the Framework is put into practice, lessons learned will be integrated into future versions. This will help ensure it targets the needs of critical infrastructure owners and operators as they face an ever-changing and challenging environment of new threats, risks and solutions.