As Congress considers new rules for companies that run critical U.S. infrastructure to report cyber-security breaches, those looking to strengthen their policies and procedures now have some much-needed guidance.

The National Institute of Standards and Technology issued its first “discussion draft” in late August, laying out a preliminary cyber-security framework for critical infrastructure—such as power plants, utilities, and transportation companies. The guidance is the result of an executive order issued by the Obama Administration in February, calling for the framework.

NIST, a non-regulatory unit of the Commerce Department that aims to bolster U.S. economic security, is currently developing a set of voluntary cyber-security standards and practices for reducing cyber-security risks within critical infrastructure, such as nuclear plants and stock exchanges.

“NIST is the most authoritative government agency on these types of matters,” says Harriet Pearson, former chief privacy officer at IBM and now a partner with law firm Hogan Lovells. The framework in its final form will become “the standard,” says Pearson, for which companies will be measured against how they are performing on cyber-security practices relative to the risks they face.

The framework provides a common language and process for companies to:

Describe their current and targeted state of cyber-security readiness;

Identify and prioritize opportunities for improvement within the context of risk management;

Assess progress toward the target state; and

Foster communications among internal and external stakeholders.

NIST hopes that the framework will be used by companies as “an influential yardstick and that it will provide a common language for companies across industries to use to describe how they're doing on cyber-security,” Pearson says.

The move could be the first step toward greater regulation of how companies— including utilities and others that run critical infrastructure connected to energy, transportation, and the financial system—report online attacks and other breaches to cyber-security.

As Congress headed off for the August recess, the Senate Commerce Committee approved cyber-security legislation introduced by Sen. John Rockefeller (D-W. Va.) and  Sen. John Thune (R-S.D.) that instructs NIST to develop ideas businesses can use to bolster their online defenses. It also sets up a workforce training plan to produce more IT security professionals. In April, Rockefeller sent a letter to Securities and Exchange Commission Chairman Mary Jo White, calling for new disclosure requirements for companies to report on their cyber-security risks.

Voluntarily Mandatory

While the adoption of the framework is voluntary, there are still several compliance concerns associated with it. “The practical reality is that it will become much more than that,” says Pearson. It likely will serve as a “powerful tool” for federal agencies “to ask questions against this framework” as to whether companies have identified and assessed their cyber-security risks and implemented processes to mitigate them. “So the stakes are pretty significant,” she says.

Another concern is that enforcement agencies could use the framework as a measure against which companies will be evaluated in the event of a breach. If a company says it has identified and prioritized its risks using the framework but has not taken any action to mitigate those risks and a cyber event occurs, “that's a problem,” Pearson says.

Another common fear expressed by industry representatives is that regulatory agencies will use the framework to initiate regulations. “When the executive order first came out, that was our initial reaction, that this is the first step toward over-regulation in a space where we don't need more regulation,” says Brian Raymond, director of technology policy for the National Association of Manufacturers.

“For small and medium companies, this may provide a decent roadmap for them to think about how to protect against cyber-threats as they go forward.”

—Keith Darcy,

Executive Director,

Ethics & Compliance Officer Association

The concern is that a regulatory agency might take this framework, which is intentionally designed to be non-prescriptive, “and create some sort of regulation that will become a checklist exercise,” says Nadya Bartol, senior cyber-security strategist for the Utilities Telecom Council.

Clarifications Made

NIST stressed in the discussion draft that the framework complements—and does not replace—a company's existing cyber-security risk-management processes and procedures. In fact, companies can leverage the framework to identify weaknesses in their own processes. Alternatively, companies without an existing cyber-security program can use the framework as a starting point.

For small and medium companies, “this may provide a decent roadmap for them to think about how to protect against cyber threats as they go forward,” says Keith Darcy, executive director of the Ethics & Compliance Officer Association.

The extent to which each industry adopts the framework will vary by industry, says Bartol. Many heavily regulated industries may find that they “already have robust measures in place,” she says.

FRAMEWORK BASICS

Below is an excerpt from the draft of the preliminary cyber-security framework, which explains its core elements and functions.

The Framework provides a common language for expressing, understanding, and managing cyber-security risk, both internally and externally. The Framework helps identify and prioritize actions for reducing cyber-security risk and

is a tool for aligning policy, business, and technological approaches to managing that risk. Different types of entities—including individuals, organizations, and associations—can use the Framework to create one or more

Profiles. These Profiles draw from the Functions, Categories, Subcategories, and Tiers.

Framework Core

The Framework Core provides references to cyber-security activities and Informative References. The Framework Core is not a checklist of activities to perform; it presents key cyber-security outcomes that are aligned with activities

known to manage cyber-security risk. These activities are mapped to a subset of commonly used standards and guidelines. The Framework Core comprises four types of elements—Functions, Categories, Subcategories, and Informative References …

The Framework Core elements work together as follows:

Functions provide the highest level of structure, for organizing cyber-security activities into Categories and Subcategories. These Functions are: Identify, Protect, Detect, Respond, and Recover.

Categories are the subdivisions of a Function into groups of cyber-security activities, more closely tied to programmatic needs. Examples of Categories include “Asset Management,” “Access Control,” and “Detection Processes.”

Subcategories further subdivide a Category into high-level tactical activities to support technical implementation. Examples of subcategories include “Inventory and track physical devices and systems within the organization,”

“Protect network integrity by segregating networks/implementing enclaves (where appropriate),” and “Assess the

impact of detected cyber-security events to inform response and recovery activity.”

Informative References are specific sections of standards and practices common among critical infrastructure sectors and illustrate a method to accomplish the activities within each Subcategory. The Subcategories are derived from the Informative References. The Informative References presented in the Framework Core are not exhaustive, and

organizations are free to implement other standards, guidelines, and practices.

The five Framework Core Functions defined below apply to both traditional information technology and operational technology.

Identify – Develop the institutional understanding of which organizational systems, assets, data, and capabilities need to be protected, determine priority in light of organizational mission, and establish processes to achieve risk management goals.

Protect – Develop and implement the appropriate safeguards, prioritized through the organization's risk management process, to ensure delivery of critical infrastructure services.

Detect – Develop and implement the appropriate activities to identify the occurrence of a cyber-security event.

Respond – Develop and implement the appropriate activities, prioritized through the organization's risk management process (including effective planning), to take action regarding a detected cyber-security event.

Recover – Develop and implement the appropriate activities, prioritized through the organization's risk management process, to restore the appropriate capabilities that were impaired through a cyber-security event.

Source: National Institute of Standards and Technology.

Some companies are simply taking a wait-and-see approach. “Instead of embarking on a large-scale assessment right now, they're waiting for the framework to come out,” says Pearson.

In response to suggestions that the framework not conflict with the many existing cyber-security standards that are already in place, NIST has done its best to use existing trusted standards as a guide. It also stressed that the framework is “not a one-size-fits-all approach.”

In the guidance, NIST includes a “message to senior executives” emphasizing the importance of cyber-security and why they should support such efforts. “They recognize that senior executives are a critical audience here,” Raymond says.

What is missing, however, is more guidance on the actual benefits of making investments in cyber-security, Raymond notes. If a company is going to make a strong case to its senior executives, “there needs to be that type of guidance in there,” he says.

Currently, the Department of Homeland Security, the agency that is facilitating adoption of the cyber-security framework, is exploring ways to provide incentives for companies to adopt the voluntary standards. Along with the carrots could be some sticks, such as requiring adoption of the framework as a condition for receiving federal infrastructure grants. “Where incentives can play a role, I think there should be some part of this framework dedicated to that,” Raymond says.

More to Come

NIST has earned some praise for taking a careful approach and making it as collaborative as possible.  “Kudos to them for making this such an open, voluntary process,” says Raymond says. Ninety percent of U.S. critical infrastructure is owned by the private sector, “so it's important that the private sector be actively involved and drive the process,” he says.

We want to make sure we provide a chance to get direct and extensive feedback on the draft,” said Adam Sedgewick, senior information technology policy adviser at NIST, in a statement. To that end, NIST will hold its fourth and final public workshop from Sept. 11 to 13 to discuss the framework and get feedback from companies and other stakeholders.

At its most recent workshop, held in July, more than 350 representatives from companies, industry associations, academia, and government participated in the discussion to come up with a common preliminary framework.

“We consider this a long-term process to enhance the cyber-security of our critical infrastructure,” said Sedgewick. “NIST will continue to work with all of our stakeholders to ensure the framework is a useful tool that is consistently updated to reflect changes in technology, risks, feedback from industry, and other factors.”

NIST is expected to issue its final cyber-security framework in February 2014.

Even after NIST issues the final framework, “there is a lot more work that needs to be done,” says Darcy. “It's not as simple as the NIST framework. It really requires a lot of deep thought to come up with the multiple risks that potentially exist in this age of information.”

Topics