The U.S. government’s federal technology agency has published a draft version of a voluntary framework it hopes will guide the private sector in reducing the risk of cyber attacks on critical infrastructure.
The National Institute of Standards and Technology (NIST) published a draft of its Preliminary Framework to Reduce Cyber Risks to Critical Infrastructure on Monday. The document provides a guide for critical infrastructure owners of different maturity levels to begin documenting and understanding their risk of cyber attack, and – eventually – to measure their performance in areas such as asset management, threat detection and incident response.
The framework was called for by Executive Order 13636, signed by President Obama in February. In that order, NIST was charged with creating a framework for sharing cyber security threat information and information on successful approaches to reduce risks to critical infrastructure.
The Framework is comprised of five major cybersecurity functions:
- Know (ing) – defined as gaining the “institutional understanding to identify what systems need to be protected,” as well as the priority of those assets
- Prevent (ing) –defined as “categories of management, technical, and operational activities” that can ensure adequate protection against threats to critical infrastructure components. Practically, these correlate with many defensive and security tools, like IAM, application and network security, and so on.
- Detect (ing) –Generally, monitoring tools and other means of observing undesirable events that increase cyber risk.
- Respond (ing) – Specific risk management decisions and activities enacted based upon previously implemented planning (from the Prevent function) relative to estimated impact.
- Recover (ing) – Defined as “categories of management, technical, and operational activities that restore services that have been impaired by a cybersecurity risk event.” Could be traditional disaster recovery, or follow up training and education.
Within each category, there might be many subcategories, each linking to reference information (like other published NIST standards) to inform the framework user. Those subcategories aren’t known yet, but will be hammered out during a workshop on the Framework that NIST will hold in San Diego, California, from July 10 to July 12.
NIST created the document based on input from the IT security community. It said the draft represents the consensus of that public input. Specifically, the agency said that many reviewers agreed that the Cybersecurity Framework would not be effective unless senior management within affected organizations were “fully engaged and aware of the vulnerabilities and risks posed by cybersecurity threats – and committed to integrating cybersecurity risks into the enterprise’s larger risk management approach.”
As a result, the draft focuses on how senior executives and others can use the Framework to assess their risks, how their organization is managing those risks and how their efforts align (if at all) with existing cybersecurity standards, guidelines, and practices.
When implemented, the framework will further break down each security function by role, with different tasks for Senior Executives, Business Process Managers and Operational Managers. Further, organizations will be asked to assess the degree to which they have implemented each function, category and subcategory using “FILs” or Framework Implementation Levels.
Critical infrastructure in the U.S. is largely in private hands and is a top concern of government officials worried about cyber incursions by foreign nations. The Department of Homeland Security Industrial Control System Cyber Emergency Response Team (ICS-CERT) issued a report last week that found attempted cyber attacks on critical infrastructure in the U.S., including energy and critical manufacturing jumped sharply in the first half of 2013. The agency has responded to 200 such incidents so far in fiscal year 2013 (October of 2012 to May of 2013), compared to 198 incidents for all of fiscal year 2012. A majority of those incidents – 53% – were against organizations in the energy sector, ICS-CERT reported.