'Baby Teeth' In Infrastructure Cyber Security Framework

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.darkreading.com/vulnerabilities---threats/baby-teeth-in-infrastructure-cyber-security-framework/d/d-id/1204437


The recent release of the Framework for Improving Critical Infrastructure
Cybersecurity by the National Institute of Standards and Technology has
generated some debate on the actual effect this document will have on
improving cyber security. There’s no new technology or technique here --
the framework is a simple taxonomy on which are hung references to existing
security frameworks for various critical infrastructure sectors.

As many have pointed out, compliance is voluntary -- there are no teeth. In
fact, it’s not even clear what compliance would be, since the taxonomy
points to existing standards that would already be complied with if
mandatory. That makes this document a relatively small step in the
direction of improved security. But it is potentially an important one. If
it can provide a common way of characterizing security programs, it could
be a big enabler. Let’s follow the path that led to the creation of this
document.

This framework was mandated by the Obama administration’s Cybersecurity
Executive Order in February 2013. That Executive Order itself was a result
of the inability of Congress to pass security legislation in the critical
infrastructure area, largely due to industry opposition to the increased
costs such security programs would cause. That’s why both the executive
order and this framework have no teeth -- only Congress can impose new laws
and fund enforcement mechanisms.

There is a general feeling that our infrastructure sectors -- airports,
utilities, chemical plants, etc. -- are not properly secured against cyber
attack, and that the results of such an event could be catastrophic. Think
of something on the order of magnitude of the Northeast United States
blackout of 2003, or an attack on airports or airline infrastructure that
could result in a significant, and perhaps extended, no-fly situation like
Sept. 12-15, 2001. Given the general agreement that there is a problem, why
would industry oppose the legislation of mandatory minimum security
requirements to prevent things like this from happening and to level the
compliance playing field?

I’m sure the reasons for the resistance include a lack of information on
which to base legislation and a legitimate fear that operations will be
burdened by new requirements. Worse is the concern that many of these new
requirements won’t make any sense for particular industries.

Enter the cyber security framework. The framework provides a simple, common
taxonomy to compare and contrast different levels of security programs. One
part of the framework describes how to fill out a profile for an
organization. For example, if we take a representative number of electric
utilities or chemical plants and have them all fill out profiles using the
framework taxonomy, then the postures of these companies can be directly
compared, and a baseline level of common practice in each industry
established.

This set of baseline profiles established for each of the 16 critical
infrastructure sectors, could be used to negotiate and ultimately define,
through legislation, the minimum levels of security required on an
infrastructure sector-by-sector basis, expressed as a NIST framework
profile. This is where the teeth would be -- which brings us all the way
back to where we started: the need for Congress to pass legislation that
sets minimum levels of information security for critical infrastructure
sectors.

The framework throws a bone at the notion of improving security by
discussing gap analysis, but how to do that is well understood and
documented elsewhere. The real value here is a means to both justify and
compel private sector spending in a commercially competitive environment to
fill the security gaps.

For the optimists among us, this legislation might just happen this year.
The National Cybersecurity and Critical Infrastructure Protection Act is
currently being negotiated in the House and with the DHS.  But in light of
past history, I’m not holding my breath.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!