Protecting Critical Infrastructure: A New Approach - InformationWeek
Government // Cybersecurity
09:06 AM
Ransomware: Latest Developments & How to Defend Against Them
Nov 01, 2017
Ransomware is one of the fastest growing types of malware, and new breeds that escalate quickly ar ...Read More>>

Protecting Critical Infrastructure: A New Approach

NIST's cyber-security framework gives critical-infrastructure operators a new tool to assess readiness. But will operators put this voluntary framework to work?

Download the entire May issue of InformationWeek Government, distributed in an all-digital format (registration required).

Symantec may not fit the image of a US critical-infrastructure operator, but it wasted little time reassessing its security practices using a set of national cyber-security guidelines released in February by the National Institute of Standards and Technology.

The Framework for Improving Critical Infrastructure Cybersecurity, developed over the past year at the White House's direction, gives executives in 16 critical-infrastructure industries -- including communications, defense, energy, financial services, health, transportation, and water -- a new tool for assessing and improving their organizations' cyber-security posture.

The guidelines are voluntary. But because they represent the recommendations of hundreds of public- and private-sector organizations and companies, rather than just government, industry experts are optimistic that companies will take them seriously. The framework is labeled Version 1.0 and will evolve as needs are identified and addressed, says NIST director Patrick D. Gallagher.

"We are really happy with how the framework ended up," says Jeff Greene, senior policy counsel for Symantec, which has begun using the framework to evaluate its own practices. "It's a good tool for organizations of all sizes. I was surprised at how useful our people found it." As would be expected of a large IT security vendor, Symantec already had a sophisticated security program, but "we are using it as a way to look at everything we're doing."

Paul Martini, CEO of Iboss Network Security, sees the framework as "a good first step" toward improving the security of privately owned facilities.

NIST and industry officials maintain that, while it's in the interests of critical-infrastructure operators to follow the framework, it will still take incentives from Congress and prodding from regulators to ensure widespread adoption. And even if the operators follow the NIST guidelines to the letter, they may only deter and not thwart sophisticated attackers.

One of the criticisms of the framework is that it doesn't tell critical-infrastructure operators what to do or which tools to use. It's technology-neutral: Product choices are left to each operator as risks are identified and addressed. "I understand the lack of specificity," says Ed Hammersla, Raytheon's managing director of cyber-security products. Only broad guidelines can address common issues across a wide range of industry sectors and organizational sizes and types. But even as threats and technology change, the framework's guidelines should remain relevant, Hammersla says.

Another criticism is that the framework will serve as a back door for more government regulation. Although following the guidelines is voluntary, former White House cyber-security adviser Richard Clarke called the framework a "semi-coercive" effort that threatens those that don't adopt it with liability and lawsuits.

Index to proven standards
The framework's main components are vetted industry and government standards and best practices for identifying, detecting, protecting against, and responding to threats and attacks.

The framework's strength, says Unisys chief information security officer Dave Frymier, is its cross-industry taxonomy and index to NIST, ISO/IEC, COBIT, and other technical guidelines for assessing risks and managing and protecting IT assets. "People think this is a compliance document. It's really a scorecard," Frymier says. But for the first time, "you can compare your security posture across your industry," he says, praising NIST for "creating a framework that can be tailored to different industries."

'The Cybersecurity Framework is a 'foundation for a solution' for protecting the nation's infrastructure.' -- Harry D. Raduege, chairman, Deloitte Center for Cyber Innovation
"The Cybersecurity Framework is a 'foundation for a solution' for protecting the nation's infrastructure." -- Harry D. Raduege, chairman, Deloitte Center for Cyber Innovation

While the impetus for the framework was a presidential executive order issued in February 2013, its roots run much deeper.

"The voluntary framework owes its existence in large part to the failure of Congress to achieve consensus on this issue through 2012," says Ian Wallace, a visiting fellow with the Brookings Institution's Center for 21st Century Security and Intelligence and formerly of the British Ministry of Defense. Harry D. Raduege, a member of the Commission on Cybersecurity for the 44th Presidency, dates the origins of the framework to a 2008 report from the commission, which called cyber-security a major national security problem and recommended, among other things, regulating cyberspace and updating US computer law. Although Congress introduced numerous bills during the next three congressional sessions, none of them were passed. "We were in complete gridlock," Raduege says.

Raduege, former director of the Defense Information Systems Agency and now chairman of the Deloitte Center for Cyber Innovation, doesn't think the resulting document is a second-best alternative to federal regulation. He called it "a foundation for a solution."

Three-tiered approach
The main element of the NIST framework, which isn't designed to replace existing security programs, is a set of industry and government

Next Page

William Jackson is writer with the <a href="" target="_blank">Tech Writers Bureau</A>, with more than 35 years' experience reporting for daily, business and technical publications, including two decades covering information ... View Full Bio

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
5/14/2014 | 11:28:37 PM
Supply chain application
During a May 13-14, 2014 forum, a White House Aid, Ari Schwartz said that one of the ways the Cybersecurity Framework is being put to special use is with companies trying to guard against weak links in their supply chains.  He explained for isntance how banks, with their own security standards, nonetheless are using the common templated from the Framework to assess the security posture of some of the companies/industries that serve as suppliers to banks.


User Rank: Ninja
4/22/2014 | 5:43:44 PM
Federal guidelines are nice, but state laws protect consumers
<blockquote> [...] president of the Information Technology Industry Council, notes that states already are setting their own standards for corporate security and breach disclosure. He says companies should welcome nationwide standards, rather than a "mishmash of state regulation." </blockquote>


And the only reason Garfield is making the above referenced statement is because certain states, such as California, have breach disclosure laws that are superior to the federal law, the latter of which tends to thump consumers and reward negligent companies.
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of IT Report
In today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll