A framework for helping the owners and operators of the nation’s critical infrastructures prepare for and mitigate the risks of cyber attacks and intrusions will take advantage of existing standards and best practices these industries already use to protect themselves, government officials said yesterday.
The Cybersecurity Framework will be a “collection of probably references to existing standards” with options likely to choose from, Patrick Gallagher, director of the National Institute of Standards and Technology (NIST), said at the agency’s kickoff workshop to help begin collecting ideas from industry on the components of the framework. He added that the government would “lead by following” the private sector and not tell industry how to build its products.
One industry participant said he appreciates the fact that the framework will employ existing standards and practices.
“The bottom line for me is an adopt-and-go approach, even though you have to tailor it to your environment, is much more advantageous than trying to build something from scratch,” Reid Stephan, information security manager for St. Luke’s Health System, a chain of hospitals in Idaho, said during one of the panel presentations.
Gallagher pointed out that as the technologies that are necessary for detecting, preventing and mitigating cyber attacks can’t remain static, neither can the standards and practices that are employed in cyber security. He said the Cybersecurity Framework will require an ongoing process for remaining current while another goal is to encourage broad adoption of these standards, practices and methodologies across the various critical infrastructures and within the supply chains of the industries that make them up.
An initial draft of the framework is due to be completed in October with the first working version due next February. Creation of the framework was directed by President Barack Obama in February in an Executive Order that also called for the federal government to share classified and unclassified cyber threat information with the private sector (Defense Daily, Feb. 13).
Industry adoption of any standards and practices contained in the Cybersecurity Framework is voluntary but in an effort to encourage critical infrastructures to implement them the Department of Commerce last Friday published a Notice of Inquiry in the Federal Register to evaluate incentives to obtain private sector participation.
While NIST is facilitating the development of the Cybersecurity Framework with the participation of industry and other government stakeholders, it is the responsibility of the Department of Homeland Security to implement the Executive Order. To this end, DHS has stood up a task force that also includes government and industry stakeholders, Jane Holl Lute, deputy secretary of DHS, said at the workshop.
The task force consists of eight working groups. One of the groups is focused on incentivizing adoption of the framework and will explore the “feasibility, security benefits and the relative merits of incorporating security standards into acquisition planning and contract administration,” Lute said.
Other working groups will focus on identifying and prioritizing critical infrastructures that are cyber dependent, collaborating with NIST and industry stakeholders, research and development related to tasks in the Executive Order, assessing privacy and civil liberties issues, mapping critical infrastructure resilience across the federal government, including identifying baseline data and system requirements for departments and agencies, and evaluating the current public-private critical infrastructure model, Lute said.
The workshop included several panels of industry and government officials offering various perspectives on standards and the current threat environment.
The industry participants offered various ideas about the Cybersecurity Framework. St. Luke’s Stephan and Michael Arceneaux, who represented the Water Information Sharing & Analysis Center, both said that the framework needs to be accessible and understandable.
Arceneaux said that in the water and wastewater industries “one of the greatest challenges” is making sure that the framework is focused on “general management” that makes the decisions. He said the standards and practices have to be aimed at a “non-IT audience” to encourage adoption.
Several of the industry participants also said the workforces in their industries and companies need to be better educated regarding cyber hygiene.
Mike Papay, vice president for Information Security and Cyber Initiatives and the chief information security officer at Northrop Grumman [NOC], said he sent a spear phishing email last week to each of the company’s 68,000 employees on the need to refile their 2012 taxes to test who would open letter. Those that failed get remedial training, he said.
Others said that metrics are needed to be able to better measure risk. The insurance market lacks effective metrics on what to back and what not to, Terry Rice, chief information security officer at pharmaceutical giant Merck & Co. [MRK], said.
Papay, however, said balancing risk is difficult, adding that there is “no cut and dried figure of merit” for how much money an organization should spend on cyber security. Rather, he said, it’s more about having the right people to do information security and trusting them to be responsive and proactive.
Yesterday’s workshop, along with a Request for Information that NIST issued last month, was to gather input for the framework. Subsequent workshops this spring and summer will focus on writing the framework.