NIST's finalized cybersecurity framework receives mixed reviews

There has never been a successful catastrophic cyberattack on North America's critical infrastructure (CI) -- yet.

The National Institute of Standards and Technology's (NIST) Cybersecurity Framework 1.0, to be issued Feb. 13 in response to an executive order from President Obama, aims to keep it that way.

But there is considerable debate within the security community about whether it will improve the protection of CI, which includes transportation, energy, food, water, financial services and other systems.

Some, like Andrew Ginter, vice president of industrial security at the Canadian firm Waterfall Security Solutions, contend that it takes a misguided approach to the magnitude and complexity of the threats.

Ginter wrote in a recent blog post that the framework is too complicated for top management and board members of Industrial Control Systems (ICS). Worse, he said, it, "leads senior management to ask the wrong kinds of questions about the security of critical infrastructure sites," by focusing on "actuarial" risk rather than the capabilities of the most sophisticated potential attackers.

The question, he said, should not be, "How many times was the North American power grid taken down by a cyber assault in the last decade, and what did each such incident cost? The answer is, of course, zero."

Instead, he said, it should be, "When our most capable enemies attack us, what is the most likely outcome?"

Joe Weiss, managing partner at Applied Control Solutions, has argued for years that government organizations like NIST and ICS-CERT (Industrial Control Systems Cyber Emergency Response Team) are too focused on "compliance" and not enough on real security.

But, Kevin Bocek, vice president of product marketing and threat research at Venafi, said the impending Framework 1.0, "moves IT security strategy forward to include modern defensive strategies. The framework places greater emphasis of detecting and responding to security incidents instead of just trying to prevent them."

Bocek said he thinks the framework, "strikes a balance between capabilities vs. actuarial for a broad audience." And he said the fact that it includes a focus on "detection, response, and remediation instead of just prevention puts the framework ahead of many current IT security strategies that assume attackers can be locked out at the firewall."

TK Keanini, CTO at Lancope, suggested that some of the criticism may be due to unrealistic expectations. The framework is not meant to be a magic bullet, he said, but instead, "a baseline to what is reasonable should an incident occur."

Advanced threats, he said, "evolve and innovate on a daily basis whereas the Cybersecurity Framework takes months, if not years, to gain consensus and be implemented."

NIST, a non-regulatory agency of the Department of Commerce, has had Framework 1.0 in the works for a year, following the president's executive order, "Improving Critical Infrastructure Cybersecurity," signed Feb. 12, 2013. The agency said it has been developed, "by collaborating extensively with critical infrastructure owners and operators, industry leaders, government partners, and other stakeholders."

Framework 1.0 is based in large part on sections titled Identify, Protect, Detect, Respond and Recover, as a system to protect CI assets and respond effectively to attacks.

Through spokeswoman Jennifer Huergo, NIST said it could not respond to Ginter's criticism. "We haven't had a chance to digest the blog post, and would need to give it more thought," she said, but added that the Obama administration considers the protection of CI a "high priority," and believes the framework, "will be a useful tool for helping to improve the cybersecurity of critical infrastructure and other industries."

The risk of a catastrophic attack is also a subject of continued debate. Some security experts have said even a major attack would be unlikely to do much more damage than a bad hurricane. Keanini said he thinks an "apocalyptic event" is unlikely. Instead, he foresees, "just a continuous stream of security incidents that keep cybercrime profitable and organizations and individuals getting better at incident response."

But others agree with federal officials, who have warned a number of times in recent years of the risk of a "Cyber Pearl Harbor."

The potential for catastrophic damage and loss of life was demonstrated seven years ago at the Idaho National Labs in what was called the Aurora Project, where a cyber attack destroyed a diesel generator.

James Lewis, director and senior fellow of the Technology and Public Policy Program at the Center for Strategic and International Studies (CSIS), famously told CBS's "60 Minutes" in November 2009, "if you can hack into that control system, you can instruct the machine to tear itself apart. And that's what the Aurora test was." He added that it requires a lead time of three or four months just to order major electrical generators, let alone get them manufactured and installed.

At the time, CNN quoted economist Scott Borg, who produces security data for the federal government, saying that if a third of the country lost power for three months, the economic price tag would be $700 billion, or, "the equivalent of 40 to 50 large hurricanes striking all at once."

Much more recent research is unsettling as well. While some security officials have said it would be difficult to take down a broad section of the power grid because of a diversity of control systems that would require multiple types of malware to attack, three researchers from the Network Science Center at West Point published a paper on Jan. 6, arguing that an adversary could target, "certain substations and sources of power generation to initiate a cascading failure that maximizes the number of customers without electricity."

Weiss said the risk of such damage is high. He said the claim that there is wide diversity among CI control systems is a myth. Most of them, he said, "are exactly the same. Not just similar -- exactly the same."

In a blog post, Weiss noted that, "there is a reason that ICS-CERT provides advisories on ICS malware to the entire community, not just to a single entity, and that ICS vendors send out advisories to ALL of their customers."

Venafi's Bocek adds that the damage doesn't have to be physical to be devastating. "When the Dutch Certificate Authority, DigiNotar, was breached, the Netherlands government was unable to use electronic communication for days because the trust established by cryptographic keys and digital certificates was broken," he said.

"While this incident was not on an attack on electrical power plant or water supply system, it illustrates how very real an attack on critical infrastructure can be."

One thing is certain. Cyber attacks on CI are increasing. ICS-CERT, a division of the Department of Homeland Security's (DHS) reported last summer that there were a third more cyber incidents (111) reported by the energy sector in the six-month reporting period ending in May than in the previous 12 months (81).

So there is little to no debate over the need to improve security of CI systems. Whether Framework 1.0 will do that will likely be debated through its rollout and beyond. The general view from security experts seems to be that while it has flaws and omissions, it will still be useful.

Most applaud President Obama for focusing attention on protecting CI, but remain dubious that government frameworks will keep up with rapidly evolving threats. There is also some concern that not all operators will sign on, since the frameworks will, at least at the start, be voluntary.

In an interview, Ginter argued that it is not enough for top management to ask, "Are our communications networks secured (one of the NIST requirements)."

"The answer they'll always get is, 'Yes, of course.' But what does that mean?" he said. "Concrete questions might be, 'Can any messages from the Internet reach our safety critical systems either directly or indirectly?' The framework does not give these kinds of tools to executives."

Bocek criticized it for omitting, "the critical element of trust, established by cryptographic keys and digital certificates, which is foundational to all cybersecurity." But, he added, "One thing is certain: critical infrastructure protection will be better off with the framework than without."

Ginter said he thinks the framework should call for Unidirectional Security Gateways (USG), a network appliance that allows data to travel in only one direction, from the side of a network connection that has less need for security, and prevents it from traveling from the side that needs more security.

But he acknowledged that security is an ongoing battle. "My role is to provide my best advice and insights," he said. "Standards always lag the state-of-the-art, and generally lag, to some degree, the state-of-the-practice. This is the nature of the beast."

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about Andrew Corporation (Australia)CBS CorporationCERT AustraliaCNNLancopeScott CorporationTechnologyUSGWest

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts