NIST Cybersecurity Framework is Good and Bad, Experts Say

Source:  AWWA.
Six months after its release, the cybersecurity framework issued by the National Institute of Standards and Technology (NIST) received mixed reviews from a group of cybersecurity specialists who've now had time to give the landmark system a closer look. Speaking at a webinar hosted yesterday by both the Industrial Control System Information Sharing and Analysis Center (ISC ISAC) and my own firm DCT Associates, the early assessment of the framework ranged from "pleased" to "failed," with a general sense that the framework doesn't replace the hard work of implementing adequate cybersecurity controls.

"I'm relatively pleased," Chris Blask, Chair of the ICS ISAC said. "What we want to achieve from all these sorts of things, rather than force people to comply with specific activities, is encourage all the relevant players to take steps that result in a more secure infrastructure."

"From an operator perspective, a document like this [the framework itself] is quite intimidating," Kevin Morley, Security and Preparedness Program Manager, American Water Works Association (AWWA), said. "This is a little bit abstract and we felt we needed a different approach," which is why the AWWA developed it's own security guidance for the water sector. Nevertheless, AWWA mapped its separate guidance to the NIST framework and found that the two are 100% aligned, Morley said.

"You can look at the NIST CSF as a success and you could say it’s not a bad outcome.  I believe you could only say that if you have very low expectations," Perry Pederson, Co-Founder and Managing Principal at The Langner Group said. "Compliance with the NIST CSF only requires adopting the terminology.  If you speak in those terms and talk in those terms you can be compliant with the framework without changing anything you have to do. It’s really a business-friendly framework because it allows the business to decide based on its needs and resources to simply cherry pick what it wants."

Japp Schekkerman, Director of Global Cyber Security at CGI Group, agreed with Pederson. The framework is "addressing all kinds of questions [b]ut it doesn’t tell you how to do it," he said. "If you’re not familiar with the standards [referenced in the framework], you don’t know what to do."

The framework wasn't intended to provide a technical blueprint telling cybersecurity specialists what to do, Greg Witte, Program Manager, Security Standards Team, G2, countered. "It really is about communication and awareness," he said. "We should not be directing people and making it mandatory."

"The framework is a way to have a discussion about managing risk," Adam Sedgewick, who spearheads the framework initiative for NIST, said during an interview earlier in the week. Still, NIST welcomes criticism and hopes to solicit a wide range of opinions on the framework's effectiveness through a request for information issued today in preparation for a framework workshop NIST will host in October. "We really do want a healthy debate, we welcome criticism."

NIST's Cybersecurity Framework at the Six-Month Mark: Are We More Secure?


On February 12th the National Institute of Standards and Technology (NIST) released its comprehensive cybersecurity framework, the culmination of an intense 12-month drafting process ordered by President Obama in an effort to ward off what former Defense Secretary Leon Panetta feared would be an imminent "cyber Pearl Harbor." This framework of frameworks was intended to lay down some ground rules to improve the security and resilience of all industries, but particularly the critical ones upon which stable society depends, such as energy, communications, transportation and food and agriculture.

So, what's happened since the framework's release? Find out tomorrow when I will be moderating a webinar for the Industrial Control Information System Sharing and Analysis Center (ICS ISAC), one of the key groups assigned the all-important information-sharing task among industrial system control operators to ensure that cyber threats are identified and managed in a timely fashion.

Join ICS ISAC Chair Chris Blask and me to find out what top security specialists think about the framework six-months in and the benefits and challenges they've experienced in putting the framework into place. Among the experts we've lined up are:
  • Kevin Morley, Security and Preparedness Program Manager, American Water Works Association
  • Perry Pederson, Co-Founder and Managing Principal at The Langner Group, LLC
  • Greg Witte, Program Manager, Security Standards Team, G2, Inc.
Based on my conversations with some of the speakers, this webinar promises to be a lively one, complete with frank assessments of both the good and not-so-good aspects of the framework. I'll check back in here later with a write-up of the key points, but register for the webinar today so you can hear first-hand what they have to say and ask your own questions.

Twitter Delicious Facebook Digg Stumbleupon Favorites More