Re: NIST Framework for Improving Critical Infrastructure Cybersecurity Version 1

[Joe St Sauver <joe () OREGON UOREGON EDU>]

Hi,

Tammy commented...

#I think the new NIST Framework is an improvement over previous guidance 
#provided and certainly, critical infrastructure protection is paramount 
#in view of all the breaches happening lately across multiple sectors.

I'm not seeing anything in v1.0 of the report that's going to 
revolutionize the practice of cyber for critical infrastructure, but 
neither am I seeing anything that's going to make any critical
infrastructure operators have a coronary. I guess it's a start.

Perhaps more promising is the roadmap for future activities; note
that NSTIC and authentication are explicitly mentioned, as is the
"automated exchange of indicators" (what we've historically called
"data driven security"). International aspects are also correctly
called out, which is terrific to see, too:

   http://www.nist.gov/cyberframework/upload/roadmap-021214.pdf

Reaction overall is a bit mixed in the trade rags. Typical example:

   http://techcrunch.com/2014/02/12/white-house-unveils-cybersecurity-plan-for-big-firms-looks-to-silicon-valley-next/

Sadly, many of the issues I highlighted nearly ten years ago in 
an invited Infragard talk, see:

   "SCADA Security and Critical Infrastructure,"
   http://pages.uoregon.edu/joe/scadaig/infraguard-scada.pdf

remain just as problematic in the SCADA/control system community as ever.

Part of the problem we face is that critical efforts such as the Industrial
Control Systems CERT (https://ics-cert.us-cert.gov/) just don't get the 
funding and staffing their work really deserves, and in fact, just this 
past July, ICS-CERT was actually targeted for cuts (e.g., see for example
http://blogs.wsj.com/cio/2013/07/20/dhs-scales-back-cybersecurity-programs-for-critical-infrastructure/ )

That's really unfortunate, IMHO.

Then, too, there was the incident last year where a power substation was
attacked and destroyed in San Jose, see for example the Wall Street 
Journal's "The Power Grid: Our Achilles Heel -- Chain-link fencing is 
all that protects the U.S. from a major disaster" (painfully long URL
with embedded trackers, Google to find it if you'd like to read it).

Low tech attack, but one where, but for the jam-and-peanut butter open
face sandwich landing jam-and-peanut butter side up for a change, it 
could have been bad.

Naturally, physical security is the red-headed child of cyber, an area 
that few if any love or care much about (anyone interested, yes, I've 
got a talk for that area too, see for example
http://pages.uoregon.edu/joe/phys-sec-i2mm/phys-sec-i2mm.pdf )

#Any good framework is an 'umbrella' that you can use as an overall 
#planning and guidance mechanism.  

Frameworks are a great way of giving a program structure and ensuring
that you don't accidentally overlook anything.

#ISO/IEC 27001:2013 is also a great international framework to use in 
#developing a comprehensive approach to developing information security 
#programs (ISO 27001 is mapped against this framework as well as NIST 
#800-53, COBIT 5 and others).

It's probably a reflection of my IETF and OSS-based tech "religious" 
orientation, but I have one major problem with the ISO standards: 
they're proprietary, and not cheap. I know that every organization
has to pay the bills, but it still bothers me to see what ISO charges
for things like ISO 27001. I'd encourage folks to consider adopting
an alternative framework of their choice that's readily/freely 
available to all who might want to view it.

Regards,

Joe

Disclaimer: all opinions strictly my own