NIST closer to critical infrastructure cybersecurity framework

Recent workshops gained feedback to be used for preliminary draftwork

The National Institute of Standards and Technology (NIST) held in San Diego last week the third of four workshops to develop a comprehensive cybersecurity framework for critical infrastructure as required under an executive order signed by President Obama on February 12, 2013. NIST's goal with the workshop was to solicit feedback from nearly five hundred attendees to generate content for the preliminary draft framework, which is due in early October.

Ahead of the workshop NIST issued a barebones draft outline of the framework, with the intent of having the attendees fill in a framework "core" pegged off five cybersecurity functions: know, detect, prevent, respond and recover. Each of these five functions were to be populated with categories (for example, under "know," the category might be "know the enterprise assets and systems") and in turn each category has subcategories (for example, "know the enterprise risk architecture").

For each category and subcategory, the attendees were asked to identify relevant informative references, such as existing standards, that might be helpful to achieving the objectives of the category or subcategory. NIST prepared a compendium of 322 references, mostly from standards-setting organizations such as ISO, ANSI or NERC, for this purpose.

To get the work done, NIST assigned the attendees to eight working groups, each of which spent the three days of the workshop with a NIST facilitator, assessing and modifying the functions and deriving the categories and subcategories, while trying to map the relevant references to the appropriate parts of the core.

NIST plans to aggregate the results of the eight working groups into a consolidated document by the end of July and release a more advanced version by the end of August ahead of the next workshop on September 11 in Dallas.

Although few of the workshop attendees could gain visibility into what areas of agreement or disagreement emerged across the eight groups, NIST is pleased with how the process worked. "What it looks increasingly like is a very rich tool box and a rules management process that teaches you how to use this toolbox," NIST Director Patrick Gallagher said during the second day of the workshop.

"Most of the groups took the task at hand and really started working on the outline and the things we presented," Adam Sedgewick, Senior Information Technology Policy Advisor at NIST and one of the chief organizers of the framework process said.

"It is a little hard to generalize with the working groups being so separate," one cybersecurity specialist for a large municipally owned utility said. "My sense is that aggregating the feedback will give NIST some valuable insight to refine the good start that the framework draft core represented."

Indeed, NIST got high marks from most of the attendees for a smoothly-run three days with high-caliber and professionally run facilitation. Even so, as the clock counts down to the extremely tight October deadline, the following cracks in the framework process continued to emerge:

Is NIST Reinventing the Wheel?

One recurrent concern that has cropped up throughout the entire process is how well this framework fits with existing critical infrastructure cybersecurity practices, most of which have been developed and refined over many years. The specific concern is that critical infrastructure asset owners and operators will have to contend with yet another set of requirements simply layered on top of existing practices, which, they believe, already serve them well.

"One theme I heard over and over is why were building something from scratch, wholly new, when existing frameworks would provide most of the building blocks," one security director at a large investor-owned utility said.

NIST, however, dismisses this notion, saying that the goal of the process is to develop a higher level, flexible framework that can be applied to the widest range of sectors. "At a high level this is about identifying the existing practices that are out there&thats the theme that weve had from the very beginning," NISTs Sedgewick said. "We want to build off existing practices and not reinvent the wheel."

Only a Few Selected Sectors are Truly Active in the Process:

The presidential policy directive accompanying the February executive order identifies sixteen critical infrastructure sectors to which the framework will apply, covering a diverse range of industries, from chemical to agriculture to wastewater systems. However, to date, workshop attendance and participation has been dominated by, at most, three sectors -- communications, energy and financial.

The relatively weak showing by the other sectors could handicap the broad applicability of the framework once its finalized in February 2014. "The sectors that dont participate are sleeping at the wheel because this will have a profound impact on their businesses and their lack of presence means that theyre having little influence on the final product," one telecom industry cybersecurity representative said.

"Our process is completely open and we work with the people who come to the table. Every stage of this process is completely open," NISTs Sedgewick said, adding that other sectors have been engaged in the process in different ways, such as through special webinars organized by trade associations and other groups.

Ongoing Concern About Coordination with DHS Efforts:

From the start of the framework process, participants have expressed continual concerns about how well the Department of Homeland Security (DHS), which has been assigned many related tasks under the executive order and policy directive, is coordinating with NIST, a concern only heightened by the upcoming departure of DHS Secretary Janet Napolitano, which was announced on the last day of the workshop. Both NIST and DHS representatives assured the workshop attendees that the two groups are working well on the shared and related tasks.

But some of the attendees felt even more concerned about the coordination between the two government arms following the workshop. For example, the executive order requires DHS to separately provide performance goals for the framework, while also stating that the framework itself shall include guidance for measuring the performance of an entity in implementing the framework.

A topic-specific working session on the DHS performance goals held at the workshop was described by one telecom attendee as a "train wreck."

"They [DHS and NIST] were completely unprepared and were stumbling over themselves" in trying to explain the distinction between the two performance-related measures.

Ongoing Fear That The Voluntary Framework May Become Mandatory Regulation:

Again, from the outset of the framework process, many of the participants, particularly Washington representatives of critical infrastructure industries, fear that political developments or a highly publicized cyber incident may push the current voluntary framework into the mandatory regulation category. This fear was underscored on July 11, the second day of the workshop, by the introduction of a draft Senate Commerce Committee cybersecurity bill which incorporates the framework, still strictly on a voluntary basis.

The fear is that "the heavy hand will come down because the heavy hand is paranoid right now," government cybersecurity consultant Tom Goldberg said. It doesnt help matters that Section 10 of the executive order appears to give the government a hammer of sorts by ordering the sector specific government agencies to determine if their current regulatory authorities are sufficient to ensure adequate cybersecurity and if not to propose new regulatory authorities.

These and other cracks may close as the framework becomes even more solidified -- the implementation of the executive order and the framework process are still fluid. The House Homeland Security Committees Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies will hold an oversight hearing tomorrow, July 18, on the executive order and the development of the framework during which DHS and NIST will share more information on the status of their initiatives.

Cynthia Brumfield, President of DCT Associates, is a veteran communications industry and technology analyst. She is currently leading a variety of research, analysis, consulting and publishing initiatives, with a particular focus on cybersecurity issues in the energy and telecom arenas.

Join the CSO newsletter!

Error: Please check your email address.

Tags National Institute of Standards and TechnologysecurityExploits / vulnerabilities

More about DCTISOTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Cynthia Brumfield

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place