Recent Posts

NIST Cybersecurity Framework is Good and Bad, Experts Say

Source:  AWWA.
Six months after its release, the cybersecurity framework issued by the National Institute of Standards and Technology (NIST) received mixed reviews from a group of cybersecurity specialists who've now had time to give the landmark system a closer look. Speaking at a webinar hosted yesterday by both the Industrial Control System Information Sharing and Analysis Center (ISC ISAC) and my own firm DCT Associates, the early assessment of the framework ranged from "pleased" to "failed," with a general sense that the framework doesn't replace the hard work of implementing adequate cybersecurity controls.

"I'm relatively pleased," Chris Blask, Chair of the ICS ISAC said. "What we want to achieve from all these sorts of things, rather than force people to comply with specific activities, is encourage all the relevant players to take steps that result in a more secure infrastructure."

"From an operator perspective, a document like this [the framework itself] is quite intimidating," Kevin Morley, Security and Preparedness Program Manager, American Water Works Association (AWWA), said. "This is a little bit abstract and we felt we needed a different approach," which is why the AWWA developed it's own security guidance for the water sector. Nevertheless, AWWA mapped its separate guidance to the NIST framework and found that the two are 100% aligned, Morley said.

"You can look at the NIST CSF as a success and you could say it’s not a bad outcome.  I believe you could only say that if you have very low expectations," Perry Pederson, Co-Founder and Managing Principal at The Langner Group said. "Compliance with the NIST CSF only requires adopting the terminology.  If you speak in those terms and talk in those terms you can be compliant with the framework without changing anything you have to do. It’s really a business-friendly framework because it allows the business to decide based on its needs and resources to simply cherry pick what it wants."

Japp Schekkerman, Director of Global Cyber Security at CGI Group, agreed with Pederson. The framework is "addressing all kinds of questions [b]ut it doesn’t tell you how to do it," he said. "If you’re not familiar with the standards [referenced in the framework], you don’t know what to do."

The framework wasn't intended to provide a technical blueprint telling cybersecurity specialists what to do, Greg Witte, Program Manager, Security Standards Team, G2, countered. "It really is about communication and awareness," he said. "We should not be directing people and making it mandatory."

"The framework is a way to have a discussion about managing risk," Adam Sedgewick, who spearheads the framework initiative for NIST, said during an interview earlier in the week. Still, NIST welcomes criticism and hopes to solicit a wide range of opinions on the framework's effectiveness through a request for information issued today in preparation for a framework workshop NIST will host in October. "We really do want a healthy debate, we welcome criticism."

Twitter Delicious Facebook Digg Stumbleupon Favorites More