Government // Cybersecurity
News
4/21/2014
09:06 AM
Connect Directly
RSS
E-Mail
50%
50%

Protecting Critical Infrastructure: A New Approach

NIST's cyber-security framework gives critical-infrastructure operators a new tool to assess readiness. But will operators put this voluntary framework to work?

standards that developers identified in a series of workshops over the past year, applicable to basic security in almost any organization.

The document consists of three parts:

  • The Framework Core, a template of activities and outcomes that organizations can use with their best practices.
  • The Framework Profile, which helps organizations align their cyber-security activities with their business requirements, risk tolerances, and resources.
  • The Framework Implementation Tiers, which help organizations rate their cyber-security readiness based on four levels of maturity.

The framework lays out three basic steps:

  • Determine if your organization even has a formal security program and understand your security posture.
  • Determine what is protected, whether security practices are adaptable and repeatable, and whether they meet your organization's business and mission needs.
  • Identify gaps and develop a road map for improvement.

"A lot of this is really common sense," says Iboss's Martini, but it offers a way to improve security without a lot of expense and expertise.

Benefits outweigh costs?
Large organizations with veteran security staffs and sophisticated programs may find the framework to be rudimentary. But it does require investment, a hindrance to the smallest organizations. Although the framework is free and requires no up-front capital expenses, it does require time and people to do the necessary discovery and evaluations of IT systems and processes.

Symantec's Greene sees the framework giving CISOs "a lexicon to talk about what we do with nontechnical people," including board members, C-level executives, and other employees.

While White House officials maintain that the framework isn't an effort to expand regulation, regulatory agencies are harmonizing their regs with the guidelines. Government procurement requirements, for instance, are likely to stipulate that contractors and suppliers conform with the framework.

Experts maintain that the framework will become something of a de facto industry standard because of liability concerns, not just enlightened self-interest. While those concerns could drive companies to use the framework, it could scare others away.

'Failure to adopt [the framework] could expose a company to shareholder lawsuits.' --Richard Clarke, former White House cyber-security adviser
"Failure to adopt [the framework] could expose a company to shareholder lawsuits." --Richard Clarke, former White House cyber-security adviser

Clarke, the former White House security adviser, thinks the framework's very existence already sets a standard for liability. Failure to follow it exposes a company to shareholder lawsuits, he says, and "there are plaintiffs' attorneys out there lining up to take the cases." Congress could step in and enact some kind of legal shield for companies that use the framework.

Experts maintain that critical-infrastructure operators will still need more incentives, including affordable cyber-insurance and cost-recovery programs, which could be implemented without legislation. Infrastructure operators also need better access to cyberthreat information, from other companies and the government, which probably would require legislation.

Dean Garfield, president of the Information Technology Industry Council, notes that states already are setting their own standards for corporate security and breach disclosure. He says companies should welcome nationwide standards, rather than a "mishmash of state regulation."

Most legislators want the framework to succeed, says Garfield, who hopes that it will motivate Congress to finish the needed cyber-security public policy pieces.

Although related policies and incentives must still be put in place and the framework itself isn't in an end-state, infrastructure operators shouldn't delay using it, NIST's Gallagher says. "Don't wait for perfection."

To read more, download the 
May issue of InformationWeek Government,
distributed in an all-digital format
(registration required).

 

William Jackson is a technology writer based in Washington, D.C. He has been a journalist for more than 35 years, most recently covering the $80 billion federal government IT sector for Government Computer News. His coverage has ranged from architecture to international ... View Full Bio

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WKash
50%
50%
WKash,
User Rank: Author
5/14/2014 | 11:28:37 PM
Supply chain application
During a May 13-14, 2014 forum, a White House Aid, Ari Schwartz said that one of the ways the Cybersecurity Framework is being put to special use is with companies trying to guard against weak links in their supply chains.  He explained for isntance how banks, with their own security standards, nonetheless are using the common templated from the Framework to assess the security posture of some of the companies/industries that serve as suppliers to banks.

 

 
asksqn
50%
50%
asksqn,
User Rank: Ninja
4/22/2014 | 5:43:44 PM
Federal guidelines are nice, but state laws protect consumers
<blockquote> [...] president of the Information Technology Industry Council, notes that states already are setting their own standards for corporate security and breach disclosure. He says companies should welcome nationwide standards, rather than a "mishmash of state regulation." </blockquote>

 

And the only reason Garfield is making the above referenced statement is because certain states, such as California, have breach disclosure laws that are superior to the federal law, the latter of which tends to thump consumers and reward negligent companies.
Cyber Security Standards for Major Infrastructure
Cyber Security Standards for Major Infrastructure
The Presidential Executive Order from February established a framework and clear set of security standards to be applied across critical infrastructure. Now the real work begins.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Must Reads Oct. 21, 2014
InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and community news at InformationWeek.com.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.