10:00 ET, 14 February 2014

US Government has published cybersecurity framework for critical infrastructure,  a “living document” to improve internal security.

The US Government has issued a cybersecurity framework  for critical infrastructure, the goal is to improve IT and SCADA networks deployed in sensitive industries such as energy, water and financial services.

The NIST announced the Framework for Improving Critical Infrastructure Security, a document that proposed cybersecurity standards and practices to build out a security program.

“The national and economic security of the United States depends on the reliable functioning of critical infrastructure. Cybersecurity threats exploit the increased complexity and connectivity of critical infrastructure systems, placing the Nation’s security, economy, and public safety and health at risk. Similar to financial and reputational risk, cybersecurity risk affects a company’s bottom line. It can drive up costs and impact revenue. It can harm an organization’s ability to innovate and to gain and maintain customers.” reported the document.

The framework is the work subsequent the Executive Order 13636 for critical infrastructure stakeholders, it is a joint work between industry and government.

“To better address these risks, the President issued Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” on February 12, 2013, which established that “[i]t is the Policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.” In enacting this policy, the Executive Order calls for the development of a voluntary risk-based Cybersecurity Framework – a set of industry standards and best practices to help organizations manage cybersecurity risks. The resulting Framework, created through collaboration between government and the private sector, uses a common language to address and manage cybersecurity risk in a cost-effective way based on business needs without placing additional regulatory requirements on businesses.” remarks the NIST framework.

The framework is considered a significant work for improving the security of critical infrastructure through the establishment of new cybersecurity programs..

“While I believe today’s Framework marks a turning point, it’s clear that much more work needs to be done to enhance our cybersecurity,” “America’s economic prosperity, national security, and our individual liberties depend on our commitment to securing cyberspace and maintaining an open, interoperable, secure, and reliable Internet.” said President Barack Obama. 

 n1

The Framework is a “living document”, this is the intent of the NIST that, though the collaboration between government and private sector, wants to continuously update it, including feedbacks by who apply the suggested practices.

This approach has the goal to create a reactive and proactive environment to mitigate existing threats and to design solutions for critical infrastructure protection.

The framework is organized in three components, each of them reinforces the connection between business drivers and cybersecurity activities.

  • The Framework Core establishes common outcomes, references and activities organizations can use to communicate desired states across an organization. According to the document, the Core has five functions: identify; protect; detect; respond; and recover from an incident, providing a high-level strategic outline for critical infrastructure operators.
  • Framework Implementation Tiers describe an organization’s current practices and helps a security team determine whether current processes are risk aware, repeatable and adaptive enough to current threats.
  • The Framework Profile establishes the desired outcomes as they relate to business needs. The document says the profile is an alignment of standards, guidelines and practices to the Core for particular implementation scenarios.

As highlighted in the past threats to critical infrastructure are increasing in complexity, but it must be also considered that it is quite easy to find online information and tools necessary for an attack, let’s think for example to the simplicity to find on-line SCADA components through the Shodan search engine and necessary exploits to hit the targets.

“Our critical infrastructure continues to be at risk from threats in cyberspace, and our economy is harmed by the theft of our intellectual property,” “Although the threats are serious and they constantly evolve, I believe that if we address them effectively, we can ensure that the Internet remains an engine for economic growth and a platform for the free exchange of ideas.” Obama said.

The framework is available on the NIST website.

The cyberspace is an increasingly dangerous place!

Pierluigi Paganini

(Editor-In-Chief, CDM)

 

rsa-logo