A framework for helping the owners and operators of the nation’s critical infrastructures prepare for and mitigate the risks of cyber attacks and intrusions will take advantage of existing standards and best practices these industries already use to protect themselves, government officials said recently.
The Cybersecurity Framework will be a “collection of probably references to existing standards” with options likely to choose from, Patrick Gallagher, director of the National Institute of Standards and Technology (NIST), said at the agency’s kickoff workshop this month to help begin collecting ideas from industry on the components of the framework. He added that the government would “lead by following” the private sector and not tell industry how to build its products.
One industry participant says he appreciates the fact that the framework will employ existing standards and practices.
“The bottom line for me is an adopt-and-go approach, even though you have to tailor it to your environment, is much more advantageous than trying to build something from scratch,” Reid Stephan, information security manager for St. Luke’s Health System, a chain of hospitals in Idaho, told the workshop.
Gallagher pointed out that as the technologies that are necessary for detecting, preventing and mitigating cyber attacks can’t remain static, neither can the standards and practices that are employed in cyber security. He said the Cybersecurity Framework will require an ongoing process for remaining current while another goal is to encourage broad adoption of these standards, practices and methodologies across the various critical infrastructures and within the supply chains of the industries that make them up.
An initial draft of the framework is due to be completed in October with the first working version due next February. Creation of the framework was directed by President Barack Obama in February in an Executive Order that also called for the federal government to share classified and unclassified cyber threat information with the private sector
Industry adoption of any standards and practices contained in the Cybersecurity Framework is voluntary but in an effort to encourage critical infrastructures to implement them the Department of Commerce has published a Notice of Inquiry in the Federal Register to evaluate incentives to obtain private sector participation.
When asked by Gallagher how adoption of better security standards and practices can be encouraged within various critical infrastructures, the industry panelists mentioned a variety of ways. One is education and awareness among employees of good cyber hygiene.
Mike Papay, vice president for Information Security and Cyber Initiatives and the chief information security officer at Northrop Grumman [NOC], said he recently sent a spear phishing email to each of the company’s 68,000 employees on the need to refile their 2012 taxes to test who would open letter. Those that failed get remedial training, he said.
Russell Schrader, chief privacy officer for Visa [V], said the “sticks” against lax security include things like bad press, negative business impacts due to a network breach, or consent decree filed by the Federal Trade Commission. The “carrots” include ensuring a good customer experience, he says.
Most merchants and others that rely on credit cards as part of their business operations “are looking for help but looking for the kind of help they can implement,” Schrader said. “Something that is scalable to a ‘mom and pop’ as well as an international financial institution or chain of stores.”
Enterprise risk management is an important tool for adopting good cyber security within the pharmaceutical sector, Terry Rice, chief information security officer at pharmaceutical giant Merck & Co. [MRK], said.
“I can talk not about the cyber incidents that are going to occur but how failures in our IT systems, irrespective of the cause, could lead to issues and incidents there,” Rice said. “So it’s that patchwork and cross connect between different risk managers within the business and within IT that I think starts to give them the line of sight.”
While NIST is facilitating the development of the Cybersecurity Framework with the participation of industry and other government stakeholders, it is the responsibility of the Department of Homeland Security (DHS) to implement the Executive Order. To this end, DHS has stood up a task force that also includes government and industry stakeholders, Jane Holl Lute, deputy secretary of DHS, said at the workshop.
The task force consists of eight working groups. One of the groups is focused on incentivizing adoption of the framework and will explore the “feasibility, security benefits and the relative merits of incorporating security standards into acquisition planning and contract administration,” Lute said.
The Professional Services Council, a trade association serving professional and technical services firms in the federal market space, said this week it has supplied comments to NIST regarding the Cybersecurity Framework saying initial work on it should be completed before any new acquisition-specific cyber security requirements are implemented. The association pointed specifically to initiatives underway in the Federal Acquisition Regulations and Defense Federal Acquisition Regulation Systems related to cyber security that should be suspended.