NIST's Finalized Cybersecurity Framework Receives Mixed Reviews
There has never been a successful catastrophic cyberattack on North America's critical infrastructure (CI) -- yet.
Fri, January 31, 2014
CSO — There has never been a successful catastrophic cyberattack on North America's critical infrastructure (CI) -- yet.
The National Institute of Standards and Technology's (NIST) Cybersecurity Framework 1.0, to be issued Feb. 13 in response to an executive order from President Obama, aims to keep it that way.
But there is considerable debate within the security community about whether it will improve the protection of CI, which includes transportation, energy, food, water, financial services and other systems.
Some, like Andrew Ginter, vice president of industrial security at the Canadian firm Waterfall Security Solutions, contend that it takes a misguided approach to the magnitude and complexity of the threats.
Ginter wrote in a recent blog post that the framework is too complicated for top management and board members of Industrial Control Systems (ICS). Worse, he said, it, "leads senior management to ask the wrong kinds of questions about the security of critical infrastructure sites," by focusing on "actuarial" risk rather than the capabilities of the most sophisticated potential attackers.
The question, he said, should not be, "How many times was the North American power grid taken down by a cyber assault in the last decade, and what did each such incident cost? The answer is, of course, zero."
Instead, he said, it should be, "When our most capable enemies attack us, what is the most likely outcome?"
Joe Weiss, managing partner at Applied Control Solutions, has argued for years that government organizations like NIST and ICS-CERT (Industrial Control Systems Cyber Emergency Response Team) are too focused on "compliance" and not enough on real security.
But, Kevin Bocek, vice president of product marketing and threat research at Venafi, said the impending Framework 1.0, "moves IT security strategy forward to include modern defensive strategies. The framework places greater emphasis of detecting and responding to security incidents instead of just trying to prevent them."
Bocek said he thinks the framework, "strikes a balance between capabilities vs. actuarial for a broad audience." And he said the fact that it includes a focus on "detection, response, and remediation instead of just prevention puts the framework ahead of many current IT security strategies that assume attackers can be locked out at the firewall."
TK Keanini, CTO at Lancope, suggested that some of the criticism may be due to unrealistic expectations. The framework is not meant to be a magic bullet, he said, but instead, "a baseline to what is reasonable should an incident occur."
Advanced threats, he said, "evolve and innovate on a daily basis whereas the Cybersecurity Framework takes months, if not years, to gain consensus and be implemented."