NIST released its long-awaited Framework for Improving Critical Infrastructure Cybersecurity on February 12. First, let us applaud NIST for meeting the deadline as required, no matter that it was mandated by an Executive Order. Thankfully at least one D.C. agency gets its work done on time.
After one reading I find lots to like in this framework. It covers aspects often neglected in cyber security. For example, it’s impossible to overstate the importance of a glossary. Inconsistent terminology is a sure way to undermine any undertaking. Although some of the terminology in this framework is not used the way that I would use it, I can change. We all can.
Another nice feature is the concept of an iterative approach. The approach is security as an ongoing concern, not an annual ticket punch. One of the worst business books I have ever read still had one nugget worth recalling: “Finished Never Is.” Cyber security is always ongoing: threats are always changing.
I was also impressed that the framework was developed with use outside the United States in mind. Of note, there is more focus on data privacy than we usually see in the United States – although it’s fair to note that that was a requirement of the Executive Order. At nearly every cyber security conference I have attended in Europe, a speaker from NIST has presented. NIST even sits on some of the ENISA standards committees, and I have more than once heard European policymakers suggest simply adopting NIST cyber security standards for Europe.
Change We Can Afford
Another nice touch is the pragmatism: “While organizations identified as Tier 1 (Partial) [i.e., organizations that have only partially implemented risk analysis or cyber security] are encouraged to consider moving toward Tier 2 or greater, Tiers do not represent maturity levels. Progression to higher Tiers is encouraged when such a change would reduce cybersecurity risk and be cost effective.” That must be the first time I’ve read a standard that said only do this if you can afford it and it will make your life better.
There are challenges. Any organization that does not currently have an asset-based risk analysis will have to create that first. I do not know of any utilities that have an asset-based risk analysis of their control networks. Merely identifying all the assets in a control network can be challenging. Quantifying the impact and probability of each risk for each asset can be a long and possibly contentious process.
Implementing this framework will be an enormous amount of work for a utility. Outside help may be necessary. IBM has already announced an offering to help implement the framework.
Next, there’s that word voluntary. That is not a weakness in the framework itself, but utilities have, in general, shown a willingness to invest only in cyber security that is required by laws or regulations. Will this framework drive more cyber security investment? It might by giving both vendors and utilities a common target. The framework’s ability to give all stakeholders a shared vision is a major step forward.
Tags: Cyber Security, Policy & Regulation, Smart Grid Security, Smart Utilities Program
| No Comments »