Critical infrastructure operators have been delivered a cybersecurity framework by the U.S. government that paints broad strokes as to how to defend IT and SCADA networks in some of the country’s most sensitive industries such as energy, water and financial services.
NIST today announced the Framework for Improving Critical Infrastructure Security, a 41-page document that is a collaborative effort between industry and government, a compilation of cybersecurity standards and practices which the standards body hopes private sector operators will consider as they build out security programs.
“While I believe today’s Framework marks a turning point, it’s clear that much more work needs to be done to enhance our cybersecurity,” President Barack Obama said in a statement. “America’s economic prosperity, national security, and our individual liberties depend on our commitment to securing cyberspace and maintaining an open, interoperable, secure, and reliable Internet.”
The framework is a deliverable coming out of Executive Order 13636, which was signed a year ago and directed critical infrastructure stakeholders to develop and deliver such guidance in conjunction with the government.
A number of executives from leading energy, financial and telecommunications firms praised the framework as an important baseline toward the establishment of new cybersecurity programs or the enhancement of existing efforts.
“The Cybersecurity Framework represents a comprehensive compendium of sound and effective cyber defense processes, practices, and protocols available today,” said Myrna Soto, senior vice president and CISO at Comcast Cable. “We will evaluate the Framework Core to assess whether it can be tailored and adapted to our business circumstances and network configuration, and possibly serve as a reference tool for managing the cyber risks and threats we face.”
The framework, NIST said, is a living document that helps an organization define their current and desired cybersecurity state, identify areas of need, and how well they are progressing in that direction, as well as advice on how to communicate to internal and external stakeholders about risks that threaten services. The framework is meant to be a companion to existing risk management procedures, the document says.
There are three parts to the framework:
- The Framework Core establishes common outcomes, references and activities organizations can use to communicate desired states across an organization. According to the document, the Core has five functions: identify; protect; detect; respond; and recover from an incident, providing a high-level strategic outline for critical infrastructure operators.
- Framework Implementation Tiers describe an organization’s current practices and helps a security team determine whether current processes are risk aware, repeatable and adaptive enough to current threats.
- The Framework Profile establishes the desired outcomes as they relate to business needs. The document says the profile is an alignment of standards, guidelines and practices to the Core for particular implementation scenarios.
“Each of the Framework components reinforces the connection between business drivers and cybersecurity activities,” the White House said in a statement. “The Framework also offers guidance regarding privacy and civil liberties considerations that may result from cybersecurity activities.”
Threats to critical infrastructure have been top of mind, and not necessarily because of their sophistication but because of the general disregard for information security built into SCADA and industrial control systems that manage critical infrastructure. Experts have made child’s play out of finding exposed systems online protected with default passwords, or critical gear running on out-of-date software making vulnerabilities trivial to exploit.
“Our critical infrastructure continues to be at risk from threats in cyberspace, and our economy is harmed by the theft of our intellectual property,” Obama said. “Although the threats are serious and they constantly evolve, I believe that if we address them effectively, we can ensure that the Internet remains an engine for economic growth and a platform for the free exchange of ideas.”