NIST – Framework for Improving Critical Infrastructure Cybersecurity
What is in the standard
In response to Executive Order 13636, Feb 2013 calling for the development of a voluntary Cybersecurity Framework to improve critical infrastructure cybersecurity. It is a “risk-based approach to managing cybersecurity risk”. This framework provides guidance to industry and organizations on managing cybersecurity risk. Critical infrastructure is not a predefined set of industries but rather any system and assets which are vital enough to the United states that if compromised, would result in a debilitating impact on national security, the economy, and/or public health and safety.
The Framework is neutral when it comes to technology. It provides a mechanism for organizations to describe current and future state cybersecurity postures, improvement processes and assessment, and communication plans to stakeholders. The framework is unfortunately weak on prevention, and focuses heavily on five core functions; identify, protect, detect, respond, recover. This is due to the fact that it views the functions, categories and subcategories of the framework for IT and ICS to be identical. They have taken a cyber risk framework directly from an IT context and applied it to ICS. Not emphasizing prevention as a core function in the realm of protecting critical infrastructure is a weakness in the framework. Under the core function of “protect”, there is not specific guidance on protecting the perimeter or boundary of the ICS network. Appendix A – the Framework Core, does not appear to be specifically tailored to ICS, rather an IT framework lightly applied to industrial control operators. To attest to this, the second category within the Protect function is data security. Rather than seeing an emphasis on industrial safety and control, which is top priority within ICS, the framework takes a typical IT driven focus: data protection. The core framework itself does not mention safety of personnel inside ICS at all, (it only mentions public safety in the summary text).
Overall, this is a very IT focused and based framework which has been very lightly modified to be applied to industrial control systems. This framework could apply to any organization, which again begs the question, why apply another generic IT model to ICS. Understanding what is most important to protect from cyber attack in ICS, safety and control, not data and information, is the only way we will be able to provide a valuable framework operators of critical infrastructure can implement.