The National Institute of Standards and Technology (NIST) held in San Diego last week the third of four workshops to develop a comprehensive cybersecurity framework for critical infrastructure as required under an executive order signed by President Obama on February 12, 2013. NIST's goal with the workshop was to solicit feedback from nearly five hundred attendees to generate content for the preliminary draft framework, which is due in early October.
Ahead of the workshop NIST issued a barebones draft outline of the framework, with the intent of having the attendees fill in a framework "core" pegged off five cybersecurity functions: know, detect, prevent, respond and recover. Each of these five functions were to be populated with categories (for example, under "know," the category might be "know the enterprise assets and systems") and in turn each category has subcategories (for example, "know the enterprise risk architecture").
For each category and subcategory, the attendees were asked to identify relevant informative references, such as existing standards, that might be helpful to achieving the objectives of the category or subcategory. NIST prepared a compendium of 322 references, mostly from standards-setting organizations such as ISO, ANSI or NERC, for this purpose.
To get the work done, NIST assigned the attendees to eight working groups, each of which spent the three days of the workshop with a NIST facilitator, assessing and modifying the functions and deriving the categories and subcategories, while trying to map the relevant references to the appropriate parts of the core.
NIST plans to aggregate the results of the eight working groups into a consolidated document by the end of July and release a more advanced version by the end of August ahead of the next workshop on September 11 in Dallas.
Although few of the workshop attendees could gain visibility into what areas of agreement or disagreement emerged across the eight groups, NIST is pleased with how the process worked. "What it looks increasingly like is a very rich tool box and a rules management process that teaches you how to use this toolbox," NIST Director Patrick Gallagher said during the second day of the workshop.
"Most of the groups took the task at hand and really started working on the outline and the things we presented," Adam Sedgewick, Senior Information Technology Policy Advisor at NIST and one of the chief organizers of the framework process said.
"It is a little hard to generalize with the working groups being so separate," one cybersecurity specialist for a large municipally owned utility said. "My sense is that aggregating the feedback will give NIST some valuable insight to refine the good start that the framework draft core represented."
Indeed, NIST got high marks from most of the attendees for a smoothly-run three days with high-caliber and professionally run facilitation. Even so, as the clock counts down to the extremely tight October deadline, the following cracks in the framework process continued to emerge:
Is NIST Reinventing the Wheel?
One recurrent concern that has cropped up throughout the entire process is how well this framework fits with existing critical infrastructure cybersecurity practices, most of which have been developed and refined over many years. The specific concern is that critical infrastructure asset owners and operators will have to contend with yet another set of requirements simply layered on top of existing practices, which, they believe, already serve them well.
"One theme I heard over and over is why were building something from scratch, wholly new, when existing frameworks would provide most of the building blocks," one security director at a large investor-owned utility said.
NIST, however, dismisses this notion, saying that the goal of the process is to develop a higher level, flexible framework that can be applied to the widest range of sectors. "At a high level this is about identifying the existing practices that are out there&thats the theme that weve had from the very beginning," NISTs Sedgewick said. "We want to build off existing practices and not reinvent the wheel."
Only a Few Selected Sectors are Truly Active in the Process:
The presidential policy directive accompanying the February executive order identifies sixteen critical infrastructure sectors to which the framework will apply, covering a diverse range of industries, from chemical to agriculture to wastewater systems. However, to date, workshop attendance and participation has been dominated by, at most, three sectors -- communications, energy and financial.
The relatively weak showing by the other sectors could handicap the broad applicability of the framework once its finalized in February 2014. "The sectors that dont participate are sleeping at the wheel because this will have a profound impact on their businesses and their lack of presence means that theyre having little influence on the final product," one telecom industry cybersecurity representative said.
"Our process is completely open and we work with the people who come to the table. Every stage of this process is completely open," NISTs Sedgewick said, adding that other sectors have been engaged in the process in different ways, such as through special webinars organized by trade associations and other groups.
Ongoing Concern About Coordination with DHS Efforts:
From the start of the framework process, participants have expressed continual concerns about how well the Department of Homeland Security (DHS), which has been assigned many related tasks under the executive order and policy directive, is coordinating with NIST, a concern only heightened by the upcoming departure of DHS Secretary Janet Napolitano, which was announced on the last day of the workshop. Both NIST and DHS representatives assured the workshop attendees that the two groups are working well on the shared and related tasks.
But some of the attendees felt even more concerned about the coordination between the two government arms following the workshop. For example, the executive order requires DHS to separately provide performance goals for the framework, while also stating that the framework itself shall include guidance for measuring the performance of an entity in implementing the framework.
A topic-specific working session on the DHS performance goals held at the workshop was described by one telecom attendee as a "train wreck."
"They [DHS and NIST] were completely unprepared and were stumbling over themselves" in trying to explain the distinction between the two performance-related measures.
Ongoing Fear That The Voluntary Framework May Become Mandatory Regulation:
Again, from the outset of the framework process, many of the participants, particularly Washington representatives of critical infrastructure industries, fear that political developments or a highly publicized cyber incident may push the current voluntary framework into the mandatory regulation category. This fear was underscored on July 11, the second day of the workshop, by the introduction of a draft Senate Commerce Committee cybersecurity bill which incorporates the framework, still strictly on a voluntary basis.
The fear is that "the heavy hand will come down because the heavy hand is paranoid right now," government cybersecurity consultant Tom Goldberg said. It doesnt help matters that Section 10 of the executive order appears to give the government a hammer of sorts by ordering the sector specific government agencies to determine if their current regulatory authorities are sufficient to ensure adequate cybersecurity and if not to propose new regulatory authorities.
These and other cracks may close as the framework becomes even more solidified -- the implementation of the executive order and the framework process are still fluid. The House Homeland Security Committees Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies will hold an oversight hearing tomorrow, July 18, on the executive order and the development of the framework during which DHS and NIST will share more information on the status of their initiatives.
Cynthia Brumfield, President of DCT Associates, is a veteran communications industry and technology analyst. She is currently leading a variety of research, analysis, consulting and publishing initiatives, with a particular focus on cybersecurity issues in the energy and telecom arenas.