NIST (The National Institute of Standards and Technology) issued for comments a “Discussion Draft of the Preliminary Cybersecurity Framework” on August 28, 2013, available at www.nist.gov/itl/cyberframework.cfm The draft document is the result of the Presidential Executive Order (EO) on “Improving Critical Infrastructure Cybersecurity” issued by the White House on February 12, 2013 and available at http://www.gpo.gov/fdsys/pkg/FR-2013-02-19/pdf/2013-03915.pdf
No sooner had the draft been issued than a couple of cybersecurity experts, with strong ICS (industrial control system) backgrounds, namely, Ralph Langner (Germany) and Joe Weiss (U.S.A.) , weighed in with their criticisms, as reported by Antone Gonsalves of CSO Magazine on September 5, 2013 in an article with the title “NIST Cyber Security Framework Proposal Provides No ‘Measurable Cybersecurity Assurance,’” see … http://www.csoonline.com/article/739139/nist-cyber-security-framework-proposal-provides-no-measurable-cybersecurity-assurance-
I read the EO, the NIST document, critiques of the NIST proposal in Gonsalves’s article, and a paper on “The RIPE Framework” by Ralph Langner, available at http://www.langner.com/en/wp-content/uploads/2013/09/The-RIPE-Framework.pdf I have to say that I tend to agree with the critics. While the NIST proposal does follow the basic tenets expressed in the EO, one would have hoped that NIST would have issued more than the “Risk Management 101” document that it has produced. There are major holes in the NIST proposal, not only with respect to its lack of attention to “cybersecurity assurance” and to the self-regulatory and voluntary tenor of the proposal, but also with regard to its virtually ignoring the entire fields of application security and safety.
Until and unless national proposals cover all of the major risks relating to cybersecurity, we will continue our reactive approach to defending against cyber attacks. As has been shown time and time again, such an approach is ineffective, expensive, and wasteful. We need to start from the basics, namely, building security and safety into our computer systems and networks and testing them to a fare-thee-well.
Subsequent to writing this column, I attended a conference where a NIST representative was on a panel on cybersecurity and critical infrastructure policy. It was described how the preliminary cybersecurity framework evolved through a series of working group meetings and that the framework specifically addressed the points in the Executive Order. From what was said, such issues as software safety, as it relates to industrial control systems, and application security, as it relates to both IT systems and ICS, were apparently discussed in working group sessions but the topics were barely referenced in the framework document itself. However, according to the NIST representative, they might be included in subsequent documents. I suppose that the omission of such crucial aspects of critical infrastructure cybersecurity was a conscious decision by the working group members. If that is the case, I believe that it was the wrong decision. Application security and control system safety and security are key factors in protecting the Nation’s critical infrastructure from attacks and insider errors. Ignoring them, for the most part, in the initial draft leaves a huge hole in the framework.
It should be noted that, even though ISA 99.02.01 (Security for Industrial Automation and Control Systems: Establishing an Industrial Automation and Control Systems Security Program) is mentioned 44 times in the document, its only appearance is in Appendix A (except for the Glossary) where particular sections are referenced. There is no discussion in the framework of what the ISA report is and specifically what it covers. There are quite a number of categories indicated in the table in Appendix A that are apparently not covered by ISA 99.02.01, such as having a policy protecting removable media (Stuxnet redux!), control of access to systems and assets, inclusion of cybersecurity in human resources practices, protection of intellectual property, protection against data leaks, recovery planning, updating of recovery strategy, and so on. These omissions in an ISA document that attempts to establish a security program for ICS are unconscionable, if they were actually omitted as Appendix A of the draft framework suggests.