Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

The NIST Cybersecurity Framework – Improving Cyber Resilience?

NIST Cybersecurity Framework

NIST Cybersecurity Framework

A few weeks ago, the National Institute of Standards and Technology (NIST) issued the final version of a new set of cyber security guidelines designed to help critical infrastructure providers better protect themselves against attacks. The framework was the result of an executive order issued by President Barack Obama last year that in part directed NIST to come up with a set of voluntary cyber security standards for critical infrastructure companies. The big question that remains is whether the proposed guidelines can truly improve cyber resilience and if they should be adopted by enterprises of all shapes and sizes.

Data breaches at Adobe, Target, and Neiman Marcus made headlines over the last few months. However, they’re just the tip of the iceberg. According to the Data Breach QuickView Report 2013 broke the previous all-time record for the number of exposed records caused by reported data breach incidents. The 2,164 incidents reported during 2013 exposed over 822 million records, nearly doubling the previous highest year on record, which was 2011. As computer software has become the backbone of modern civilization, “hacktivists”, organized cyber criminals, state sponsored cyber attackers, and terrorist organizations try to exploit design flaws and weaknesses in applications in order to embarrass corporate America, generate revenue, or carry out criminal activities. The growing number of cyber-attacks has become one of the most serious economic and national security threats our nation faces.

In response, President Obama issued Executive Order 13636, which mandated the development of a voluntary risk-based Cybersecurity Framework – a set of industry standards and best practices to help organizations manage cyber security risks. This Cybersecurity Framework, developed by NIST with the collaboration of other government agencies and the private sector, establishes a common nomenclature to address and manage cyber security risk in a cost-effective way. One of the main objectives of the framework was to avoid placing additional regulatory requirements on businesses, but rather provide a risk-based approach to cyber security.

The NIST Cybersecurity Framework is comprised of three components: The “Core”, which represents a set of activities to anticipate and defend against cyber-attacks. The “Implementation Tiers”, which provide a set of measurements to assess to what degree an organization has implemented the core activities and benchmark how prepared they are to protect systems against an attack. The “Profile” can be used to identify opportunities for improving an organization’s cyber security posture by comparing a current profile with a target profile.

The NIST Cybersecurity Framework also includes a comprehensive collection of so-called Informative References, which are specific sections of standards, guidelines, and practices common among critical infrastructure sectors.

While several tech groups praised the decision to focus the framework on risk management rather than creating another check-box type regulatory compliance mandate, many industry experts believe it falls short on really driving cyber resilience.

Security-minded, mature organizations already have a solid understanding of how their network needs to be secured and have applied many of the standards, guidelines, and practices referenced in the framework. So while the framework doesn’t necessarily improve their cyber resilience, it does provide a common nomenclature and methodology to help less advanced organizations assess their level of security preparedness and benchmark themselves.

Notably, the framework falls short in offering incentives to organizations to apply the NIST Cybersecurity Framework, which was the original intention of the President’s Executive Order. Organizations too often lack the necessary resources to apply all of the outlined standards, guidelines, and practices. Without the commitment of management and board of directors to provide adequate resources for risk management, organizations’ security posture won’t significantly improve.

That’s because applying the NIST Cybersecurity Framework adds to the volume, velocity, and complexity of data feeds that must be analyzed, normalized, and prioritized. Without automation it can take months and even years to perform big data risk analysis and piece together an actionable security assessment picture. The Framework’s lack of incentives will most likely lead to an uneven adoption across commercial markets, except for the financial services, energy, and healthcare sectors which are under constant attack and have suffered the most serious security breaches.

Meanwhile, one of the most critical components for detecting and protecting against widespread cyber-attacks across different verticals and industries has been completely dropped from the NIST Cybersecurity Framework: the bi-directional sharing of sensitive threat information. It is well documented that cyber criminals are coordinating their efforts and sharing vulnerabilities and attack methodologies. To counter them, government and private industry must work hand-in-hand to quickly distribute information about threats. Sadly, the fallout from the Edward Snowden scandal might prevent the implementation of this type of collaboration for years to come.

In the meantime, commercial sectors must rely on information sharing communities such as the Financial Services Information Sharing and Analysis Center (FS ISAC) and Red Sky Alliance. These organizations offer threat feeds that organizations can leverage to contextualize threat information within their enterprise architecture.

The NIST Cybersecurity Framework is a good first step towards creating a standardized approach to cyber security, but requires many substantial updates before really improving our nation’s cyber resilience.

Written By

Torsten George is a cybersecurity evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

ICS/OT

Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

ICS/OT

Vulnerabilities in GE’s Proficy Historian product could be exploited for espionage and to cause damage and disruption in industrial environments.

ICS/OT

A hacktivist group has made bold claims regarding an attack on an ICS device, but industry professionals have questioned their claims.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...

ICS/OT

Vulnerabilities in industrial routers made by InHand Networks could allow hackers to bypass security systems and gain access to OT networks.

ICS/OT

Schneider Electric in recent months released patches for its EcoStruxure platform and some Modicon programmable logic controllers (PLCs) to address a critical vulnerability that...

ICS/OT

Organizations using controllers made by Rockwell Automation have been informed recently about several potentially serious vulnerabilities.