NIST Cybersecurity Framework Draft - Not Ready For Primetime

When Executive Order 13636, “Improving Critical Infrastructure Cybersecurity¹,” was released earlier this year, it called for the development of a cybersecurity framework.  The purpose, as expected given the myriad of news articles covering critical infrastructure cybersecurity, was to improve the cybersecurity posture of these organizations by giving them a voluntary framework that enables them to identify, assess, and manage cyber risk.  Fortunately, the “Preliminary Cybersecurity Framework²” is still in draft form, with the latest round of development workshops just completed in Dallas, TX, because it seems like the lessons that should have been learned by other similar frameworks have not yet made their way into the current discussion.

To briefly summarize, the draft framework³ is built around a core, implementation tiers, and a profile.  The core has 5 major sections called functions.  These functions are Identify, Protect, Detect, Respond, and Recover.  Each of these functions has a set of associated categories and subcategories.  Every line item also has a useful set of applicable references, to include ISA 99.02.01⁴, ISO/IEC 27001⁵, COBIT⁶, NIST SP 800-53⁷, and Council on CyberSecurity (CCS) Top 20 Critical Security Controls (CSC)⁸.  The tiers are a representation of the maturity of an organization’s risk practices and include tiers 0 through 3: Tier 0 - Partial, Tier 1 - Risk Informed, Tier 2 - Repeatable, and Tier 3 – Adaptive.  The profile is a tier “grade” for each of the five functions. Organizations are encouraged to develop an as-is profile and a target profile and use their risk management process to move the risk in the direction of the target profile over time.

The things that initially stuck out to me were the strengths of the document.  It was developed with the intricacies of the critical infrastructure sector in mind.  This includes the understanding that there is not an infinite amount of funding for cybersecurity and that cybersecurity risk must be part of the normal organizational risk management process.  The framework also stresses the importance of including senior executives in decision making, to include them deciding on what is an appropriate risk appetite for the organization.  Lastly, there is a good discussion regarding areas for improvement, although they seem detached and not built on any existing portions of the framework.

Unfortunately, the framework is laden with issues that have caused much of the cybersecurity problems that already exist currently.  First, there is little discussion of “baking-in” security.  Development of secure systems for critical infrastructure is only briefly mentioned.  In fact, the feedback loop that is necessary in any framework to facilitate new system development that includes taking the lessons learned from implementation or security breaches is not emphasized.  Additionally, the framework, in its current form, is mostly based on implementation of the core, which largely repeats known best practices.  Although the core represents a comprehensive listing of these business practices, there is a significant gap in which the maturity of implementation of any best practice can be determined.  Implementers of this framework will suffer immense challenges trying to determine how well they are doing for any given core best practice.  Fundamentally, this framework is missing the point that proper cybersecurity is less about best practices, and more about creating an environment where communication and business processes within organizations and with other organizations, all with well-educated and well-trained personnel, represent the most essential improvements needed. 

The framework was unable to achieve a balanced discussion of it’s different parts.  While the document says the framework is made of up the core, the tiers, and the profiles, the core is where most of the emphasis has been placed.  While the core is useful information, determining an as-is risk state and putting into effect a plan that moves an organization into the desired to-be risk state using achievable intermediate risk states is much more important over the long-run.  There will always be new threats, mitigations, and best practices.  A mature process for managing risk ensures that no matter how often those change, that the organization will be able to adapt.  Key to managing risk in non-governmental organizations is money.  Senior executives talk in terms of dollars.  This framework unfortunately does not.  If the risk managers in the organization cannot provide senior executives a breakdown of the likelihood and how much it will cost the organization when a security incident happens and compare that against the short and long term costs to put some mitigation in place (people, training technology, process, etc.), they will not be funded.  Critical infrastructure organizations are profit-seeking and will not let their bottom line slip without a compelling business case being presented. 

The last weakness of this document that I would like to highlight is the topic of communication.  Given the importance of the critical infrastructure of this country, it is odd that threat intelligence is not mentioned in this document.  Cyber risk management is not going to be effective unless there is some idea of who is committing the cyber attacks against your organization and what their tactics and techniques are.  Although not mentioned in this document, it is known that the Department of Homeland Security (DHS) is going to be the focal point for this threat intelligence.  It is assumed that their role is going to be to gather intelligence and distribute it to critical infrastructure organizations, but there does not seem to be any mechanism in this framework to support this type of data ingest (or acting on it); nor does there appear to be any mechanism for these organizations to share their information with DHS.  Lastly, given that the “critical infrastructure” title is extremely broad and can encompass very different organizations, providing very different services and using very different systems, it would seem that DHS would have a challenging time handling all of the inherent complexity, especially since this framework is voluntary in nature.  Therefore, it will be incumbent upon these organizations to partner with similar organizations throughout the country in order to enhance their cybersecurity readiness in a more peer-to-peer format that does not require significant resources from DHS.

I applaud the efforts of NIST and all the personnel working so diligently to enhance the cybersecurity of our critical infrastructure.  Unfortunately though, I believe the lessons of challenges and failures of the last 15 years have not yet made their way into this draft document.

What do you think of the framework?  What improvements do you think need to be made?

References

¹ http://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructurecybersecurity

² http://www.nist.gov/itl/cyberframework.cfm

³ http://nist.gov/itl/upload/discussion-draft_preliminary-cybersecurity-framework-082813.pdf

⁴ ISA 99.02.01 (2009), Security for Industrial Automation and Control Systems: Establishing an Industrial Automation and Control Systems Security Program: http://webstore.ansi.org/RecordDetail.aspx?sku=ANSI%2FISA%2099.02.01-2009

⁵ ISO/IEC 27001, Information technology --Security techniques --Information security management systems --Requirements: http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=42103

⁶ Control Objectives for Information and Related Technology (COBIT): http://www.isaca.org/COBIT/Pages/default.aspx

⁷ NIST Special Publication (SP) 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

⁸ Council on CyberSecurity (CCS) Top 20 Critical Security Controls (CSC): http://www.counciloncybersecurity.org