Educause Security Discussion mailing list archives
Re: NIST Framework for Improving Critical Infrastructure Cybersecurity Version 1
From: Joe St Sauver <joe () OREGON UOREGON EDU>
Date: Thu, 13 Feb 2014 09:46:07 -0800
Hi, Tammy commented... #I think the new NIST Framework is an improvement over previous guidance #provided and certainly, critical infrastructure protection is paramount #in view of all the breaches happening lately across multiple sectors. I'm not seeing anything in v1.0 of the report that's going to revolutionize the practice of cyber for critical infrastructure, but neither am I seeing anything that's going to make any critical infrastructure operators have a coronary. I guess it's a start. Perhaps more promising is the roadmap for future activities; note that NSTIC and authentication are explicitly mentioned, as is the "automated exchange of indicators" (what we've historically called "data driven security"). International aspects are also correctly called out, which is terrific to see, too: http://www.nist.gov/cyberframework/upload/roadmap-021214.pdf Reaction overall is a bit mixed in the trade rags. Typical example: http://techcrunch.com/2014/02/12/white-house-unveils-cybersecurity-plan-for-big-firms-looks-to-silicon-valley-next/ Sadly, many of the issues I highlighted nearly ten years ago in an invited Infragard talk, see: "SCADA Security and Critical Infrastructure," http://pages.uoregon.edu/joe/scadaig/infraguard-scada.pdf remain just as problematic in the SCADA/control system community as ever. Part of the problem we face is that critical efforts such as the Industrial Control Systems CERT (https://ics-cert.us-cert.gov/) just don't get the funding and staffing their work really deserves, and in fact, just this past July, ICS-CERT was actually targeted for cuts (e.g., see for example http://blogs.wsj.com/cio/2013/07/20/dhs-scales-back-cybersecurity-programs-for-critical-infrastructure/ ) That's really unfortunate, IMHO. Then, too, there was the incident last year where a power substation was attacked and destroyed in San Jose, see for example the Wall Street Journal's "The Power Grid: Our Achilles Heel -- Chain-link fencing is all that protects the U.S. from a major disaster" (painfully long URL with embedded trackers, Google to find it if you'd like to read it). Low tech attack, but one where, but for the jam-and-peanut butter open face sandwich landing jam-and-peanut butter side up for a change, it could have been bad. Naturally, physical security is the red-headed child of cyber, an area that few if any love or care much about (anyone interested, yes, I've got a talk for that area too, see for example http://pages.uoregon.edu/joe/phys-sec-i2mm/phys-sec-i2mm.pdf ) #Any good framework is an 'umbrella' that you can use as an overall #planning and guidance mechanism. Frameworks are a great way of giving a program structure and ensuring that you don't accidentally overlook anything. #ISO/IEC 27001:2013 is also a great international framework to use in #developing a comprehensive approach to developing information security #programs (ISO 27001 is mapped against this framework as well as NIST #800-53, COBIT 5 and others). It's probably a reflection of my IETF and OSS-based tech "religious" orientation, but I have one major problem with the ISO standards: they're proprietary, and not cheap. I know that every organization has to pay the bills, but it still bothers me to see what ISO charges for things like ISO 27001. I'd encourage folks to consider adopting an alternative framework of their choice that's readily/freely available to all who might want to view it. Regards, Joe Disclaimer: all opinions strictly my own
Current thread:
- NIST Framework for Improving Critical Infrastructure Cybersecurity Version 1 Carlos Lobato (Feb 13)
- Re: NIST Framework for Improving Critical Infrastructure Cybersecurity Version 1 TAMMY L. CLARK (Feb 13)
- <Possible follow-ups>
- Re: NIST Framework for Improving Critical Infrastructure Cybersecurity Version 1 Joe St Sauver (Feb 13)