President Obama tasked NIST with creating a Cybersecurity Framework (CSF) to help secure the critical infrastructure. NIST released Version 1.0 of the CSF on February 12th.
We have had a chance to dig into the CSF and even use it in a few consulting engagements, so here are some thoughts after three months living with the CSF.
The Bad (Let’s get this out of the way)
There is little if anything new or special about the CSF for the ICS community. A number of other existing and draft documents are as good or even better than the CSF for structuring and measuring an ICS cyber security program. We thought this during the creation and at Version 1.0 release. This is still our opinion after trying it out for three months.
Given the CSF drafting process involved a lot of interested parties and had great mindshare and impetus, this was a wasted opportunity that likely will not be available again until the next President. I explored this and other items with Jack Whitsett in a podcast last December.
We have been pleasantly surprised at the psositive outcomes of the CSF, and they have greatly exceeded at least my expectations.
1. C-level Executive Awareness and Involvement
I expect most CEO’s and COO’s with critical infrastructure ICS to be asked by board members, stockholders, analysts and others if they meet or are compliant with the CSF in the next two years. Of course this is a nonsensical question given the structure of the CSF. The right questions are:
– do you have a current policy and target policy?
– do you have a plan to close the gaps between these two policies and when will the plan be completed?
– what risk management tier are you currently at and do you plan on moving up to a higher tier?
Even if the questions are wrong, getting the C-level executives involved in this issue is a huge plus.
This is already happening with our clients, admittedly a very security conscious group, and most assessments this year will have at least a CSF current policy component.
Yes, an owner/operator can pursue the CSF with the intention of leaving the ICS in a very vulnerable state and succeed at this … but they have to put this on paper. This document could really haunt them if they are accepting risks without involving senior management and something happens. If audit gets involved it could also make a security laggard look bad if they have said a large number of the sub-categories do not apply.
2. Lingua Franca
Industry and standards groups in the US are busy mapping their documents to the CSF. The American Water Works Association got an early start. Check out Appendix A in their Cybersecurity Guidance document. You will soon see ON-C2M2 (oil and natural gas) and ES-C2M2 (electric sector) map to the CSF. We expect every sector standard and guideline to map to the CSF. It will be necessary to answer the questions from #1.
This does add work to security governance because asset owners should really map their security controls to both their sector standard and to the CSF. And early on some of the mappings are a stretch, but this will likely be addressed in future versions of the sector standard.
I’m curious which, if any, of the sectors will reorganize their standards and guideline document to the CSF format and just have specific controls listed by sub-category. This certainly would make life easier for their sector members.
The Framework Implementation Tiers (Partial, Risk Informed, Repeatable, Adaptive) have confused a lot of people. They mistakenly think they are related to security controls in the profiles, but this is not the case. In fact the CSF states “Successful implementation of the Framework is based upon achievement of the outcomes in the organization’s Target Profile(s) and not upon Tier determination.
The confusion may be coming from the fact the Tiers look like an easy to understand and quantify measure. We have had numerous people ask us if a security assessment will tell them what Tier they are at and what security controls are required to reach the next Tier.
The Tiers are a measure of the sophistication and effectiveness of risk management. In theory an ICS in a company with a Tier 4, the highest, risk management program could be significantly less secure than an ICS in a company with a Tier 1 risk management program if the Tier 4 company chose to accept much more risk.
A more sophisticated and effective risk management program should apply the appropriate level of security, not too much or too little. This can still cause problems in the critical infrastructure ICS where a risk may be acceptable to the company but not the city, region or country.
I’m looking forward to hearing others’ experience with the CSF in the comments and the personal messages.
Image by Kaz k