Kaspersky Lab is always working to develop new technologies for protecting critical computer systems from cybercriminals. In July, I had the opportunity to represent Kaspersky at a symposium sponsored by the National Institute of Standards and Technology (NIST), focused on the national Cybersecurity Framework in the U.S., a document that has the potential to define the standards for protecting critical infrastructure for years to come.
In the U.S. NIST is responsible for developing standards in various areas, including information technologies and security. President Obama issued an executive order to establish the Cybersecurity Framework, i.e. a set of standards of protecting critical infrastructure from cyber threats, and July’s meeting was a chance to define changes to the Framework’s draft.
One of the key questions that came up during the symposium is whether there is a need for government intervention on critical infrastructure protection. After the meeting, it seems that the answer to this question is almost certainly yes. To begin with, the very definition of critical infrastructures is very broad. It includes the IT systems of the financial sector, telecommunications, defense industry, power plants and transportation. In the U.S., the list of critical infrastructure systems is officially defined. There’s no need to explain the threats to the financiers and telecom operators like Bank of America and AT&T. They already know that cyber security issues are very important and they have the relevant experience in this field. However, the situation is much worse with manufacturers.
Industrial networks are poorly protected, and their operators (both private and government-owned) generally get a bad picture of what cyber threats are like and how defense should be used. The discussions at the NIST forum made it clear that within this sector, most of those who are responsible for the security (both in general and in relation to the IT-infrastructure) treat cyber threats using this assumption: “Storms rage… but usually they do elsewhere.” At the same time, all the representatives of the industrial sector who I had a chance to talk to at the event agreed that the current edition of Cybersecurity Framework lacked specificity for manufacturers and industrial control systems. I believe the industrial sector should have been the primary target of NIST’s initiative, and this opinion of mine was supported by industry experts, including Doug Wylie of Rockwell Automation.
In addition, the July draft version of Cybersecurity Framework contains no clear description of the threats themselves. And that’s a missed opportunity. Without a good definition of the existing threats, the industrial sector is going to keep on treating the very real threats as theoretical ones. During the symposium the participants agreed on the fact that the final version of the Cybersecurity Framework should be as objective and informative as possible, written in language that’s comprehensible at all levels – to shareholders, executive directors, midlevel managers and security professionals who would like technical details and practical solutions, too.
Phil Agcaoili of Cox Communications gave a good example of such documents by describing the principles of protection designed by the Cloud Security Alliance. This is an extremely appropriate document structurally and logically, although it is unlikely to address the protection of industrial systems. The relevant part of it is reserved for data protection issues and data leaks prevention. Confidential data isn’t usually a major problem in industrial networks. The technological process itself and its continuity are the top priorities and they are to be protected from alterations and violations by intruders that may cause severe and catastrophic consequences for the company and for millions of other people.
As a result we find ourselves in a situation where the representatives of the industrial sector have a poor understanding of what a threat is and what methods of protection exist. The IT people for their part are well-versed in cyber security, but they don’t know the details of protecting industrial networks and processes.
Fortunately, there is some progress. There is concern on the subject, too. The direct evidence of it was the number of participants in the working group in July – about 350-400 people. I honestly did not expect to see more than a hundred.
It is definitely good that NIST is holding public hearings on the subject, and that the government is driving the solution to this issue. The document developed by NIST is not explicitly American, so there’s nothing that would prevent other organizations from adopting these standards and guidelines for protecting industrial infrastructure from cyber threats in other countries, where the problem is no less intense.
In order to add some practical value to Cybersecurity Framework though, “sectoral” specifics are needed that would describe real threats, and the language and the style of presentation should be clear for all readers, including top managers, technical specialists and middle management. It is too early yet to discuss the readiness of NIST to provide the most efficient set of rules and recommendations on protecting critical infrastructures, with the clear definition of threats as well as of methods to defeat them.
Even the updated, late August version of the Framework, based on the results of the seminar in July, mentions “Industrial Control Systems” only once: “Manage risk to specialized systems, including operational technology (e.g., ICS, SCADA, DCS, and PLC) consistent with risk analysis”. Luckily, the new version is based on the principles of “Security Control Matrix”, which itself uses the ideas of a similar approach offered by The Cloud Security Alliance. And this is a good sign, indeed.
The work on the document continues, and the next NIST event on the topic will take place soon, on September 11-13. Of course, Kaspersky Lab experts will continue to contribute.
*Vyacheslav Borilin is Kaspersky Lab’s expert on Critical Infrastructure Protection