Last week, the National Institute of Standards and Technology (NIST) held in Tampa, FL its sixth workshop on the landmark critical infrastructure cybersecurity framework mandated by President Obama in February 2013 and issued by NIST in February 2014. As was true of the five previous workshops NIST held prior to the framework's release, hundreds of cybersecurity specialists gathered for two days to listen to government and industry experts and to hash out the framework's details across multiple, specialized working sessions.
While the event covered a lot of ground, tackling a range of technical and detailed topics from relatively specialized matters such as authentication issues in industrial control security to broader overviews of how various sectors are dealing with the framework, a few themes emerged from the sessions and conversations with the attendees. Here are the top four take-aways from the latest workshop:
1. Everyone Likes the Framework: Almost everyone said the framework is a good thing, although, as noted below, there are some issues that specialists still have with the framework's ongoing development. Not surprisingly, representatives from industry, UK and EU governments invited to speak on the plenary session panels offered almost uniformly positive views of the framework. "We began using the framework essentially the day it came out," Tim Casey, a senior information risk analyst at Intel said. "It gave us purpose and direction that we didn't have previously," Jefferson England, an executive at small telco Silverstar Communications, said.
Conversations with attendees yielded more of the same. "This is a good force multiplier. It's a common unified framework for managing security risks," Robert Brown, Manager of Assurance at PWC, said. "People have seemed to really embrace it," according to Phil Agcaoili, VP and Chief CISO at Evalon. "There are all sorts of ways this could have gone wrong and it didn't," Chris Blask, Chair at Industrial Control System Information Sharing and Analysis Center (ICS-ISAC), said.
Much of the good vibes flowed from the sense of collegial community that has cropped up over the course of the multiple workshops among the many hundreds of cybersecurity specialists. (Frequent jokes were made about the T-shirts given to people who had attended every workshop). The framework process has really "put trust across the sectors," Jack Whitsitt, Senior Analyst of cybersecurity consortium EnergySec, said, highlighting the fact that cyber specialists in different industries now share information outside their sectors because of the relationships forged during the NIST framework process.
2. The Framework's Primary Value To Date Seems to Be as a Communications Tool: The jury's out in terms of whether the framework has actually achieved its intended goal of reducing cybersecurity risks, but it's clear that the subject matter experts who were at the workshop think it's a good device for trying to communicate the arcane subject of cybersecurity to managers, regulators, vendors, partners and other audiences. "One of the largest benefits of the framework is that it provided a framework of discussion, as much as anything else," Silverstar's England said.
"We're using it as an engagement tool for our regulators," Karl Schimmeck of the Securities Industry and Financial Markets Association, said. "We're hoping that it becomes the common language when you're talking to suppliers, vendors, joint ventures," a senior oil and gas industry representative said. "I'm using it to inform my board and executives," Evalon's Agcaoili said.
3. Otherwise the Framework Is Still Kind of Difficult to Use: Despite being built on the notion of simplicity, the NIST framework is a 41-page document that features core sets of activities, multiple tiers and intricate mapping to hundreds of detailed cybersecurity standards developed by a welter of standards-setting bodies. Most of the practitioners in attendance at the workshop said that the framework, despite its communication value, can at times be quite a challenge to use. "These frameworks are alphabet soup," PWC's Brown said.
"The mapping process is nuts," Dorian Cougia, Compliance Scientist at Unified Compliance said. Part of the problem is that the intricate standards that are mapped to the framework can run dozens and even hundreds of pages long and it's not always clear which parts of the standards apply to what. "There were times when we did not exactly understand what the framework meant," one top energy cybersecurity specialist said.
"The content of the framework really doesn't matter," EnergySec's Whitsitt said. "Organizations that don’t know how to do security already will have a hard time with it."
The difficulty in using the framework can be greater for smaller and mid-sized organizations that don't have cybersecurity experts on staff, a topic much discussed during the framework's development. "The big guys do this already," one communications industry representative said. "They wouldn't be in business if they weren't protecting their networks for financial reasons." The smaller guys, however, are struggling to come up to speed with what the framework demands, she noted, because they may have at most only one IT person on staff assigned to implement security measures.
The right way to view the challenge of using the framework isn't big versus small, according to Adam Sedgewick, who spearheads the project for NIST, clarifying that it's more about how serious the company is about cybersecurity, regardless of size. "I think it's a mistake to think that small and medium companies do not have good cybersecurity practice as a rule. I think it's more appropriate to say companies that do not have robust cybersecurity programs" face greater challenges.
4. There Won't Be a Framework 2.0 Any Time Soon: Two mantras emerged from the government and NIST speakers at the workshop. The first is that "it's still early days" for the framework and too soon to gauge its effectiveness. The second, related concept is that no basic changes to the framework are in the offing anytime soon.
"We want to make sure that people understand we don't expect changes to the framework in the future," Ari Schwartz of the National Security Council said. "We are in no rush to make changes without knowing or understanding what effect those changes might have," Matt Scholl, Deputy Division Chief at NIST said.
Cybersecurity is already shaped by endless organizations, government agencies, schemas, frameworks and evolving standards, NIST's Sedgewick said. "We have to be careful when we think about the next phase of this effort to reduce that complexity and not increase it."
That view was embraced by most of the workshop attendees. However, some of the industry specialists who are implementing the framework think changes are needed sooner rather than later. "It is useful but it still needs more work," one big electric utility representative said. "If something is missing, they don't know something is missing. They should not wait too long to update the core."