NIST
Cybersecurity Framework (CSF)
for Critical Infrastructures
Andrew Yang, Ph.D., CISSP
Executive director, Cyber Security Institute
Associate Professor of CS, CIS, IT
1
“Cybersecurity Framework is dead.”
Really?
• A bunch of questions about cybersecurity frameworks
- What is a cybersecurity framework?
- Why do we need a framework?
- Will adopting a framework reduce the organization’s IT
security risk?
- Will adopting a framework provide sufficient security to the
organization?
2
Outline
 What is a cybersecurity framework?
• The NIST Cybersecurity Framework
• Use and Implications of the CSF
• Discussions
3
•
http://whatis.techtarget.com/definition/framework:
“a framework is a real or conceptual structure intended to
serve as a support or guide for the building of something
that expands the structure into something useful.”
Example: the Zachman framework (for Enterprise Architecture
and Information Systems Architecture)
“a logical structure intended to provide a comprehensive
representation of an information technology enterprise
that is independent of the tools and methods used in any
particular IT business”
4
5
Too many frameworks!
• ISO/IEC 27001 & 27002 (formerly ISO 17799)
• NIST SP 800-53: Security and Privacy Controls for
Federal Information Systems and Organizations
• Federal Enterprise Architecture Framework (FEAF)
• Sherwood Applied Business Security Architecture
(SABSA)
• NIST SP 800-39: Risk Management Framework
• Security in Major IT Management Frameworks
• …
6
• Feb. 12, 2013: Obama administration issued an
executive order for “improving critical
infrastructure cybersecurity”.
– Several mandates:
Expanding information sharing
Establishing a cybersecurity framework
…
• “The executive order calls for the NIST to
establish a baseline framework to reduce cyberrisk to critical infrastructure.”
– Oct. 2013: first draft of the framework
– Feb. 2014: final draft (v1.0)
7
Risk Management Model
• Source: http://en.wikipedia.org/wiki/IT_risk_management
8
9
Cybersecurity framework?
• “The security professional needs to adhere to a
framework.… once the security professional begins
to bring order to the organization’s security program,
they are implementing a framework.” -http://www.securitycurrent.com/en/writers/david-sheidlower/security-where-myths-shouldgo-to-die
• Benefits:
– From chaos to order and organization
– Manageable practice
– From tools / mechanisms  architecture / policy 
strategy / governance
10
Outline
• What is a cybersecurity framework?
 The NIST Cybersecurity Framework
• Use and Implications of the CSF
• Discussions
11
NIST Cybersecurity Framework
•
Framework for Improving Critical Infrastructure
Cybersecurity, version 1.0, the National Institute of
Standards and Technology (NIST), February 12, 2014.
o
•
A response to the President’s Executive Order 13636, “Improving
Critical Infrastructure Cybersecurity” on February 12, 2013.
Critical infrastructure: “systems and assets, whether physical or
virtual, so vital to the United States that the incapacity or destruction
of such systems and assets would have a debilitating impact on
security, national economic security, national public health or safety, or
any combination of those matters.”
•
a voluntary risk-based Cybersecurity Framework
– a set of industry standards and best practices to help
organizations manage cybersecurity risks
• The Framework is technology neutral.
12
13
Using the Framework
• Building from standards, guidelines, and
practices, the Framework provides a common
taxonomy and mechanism for organizations to:
1) Describe their current cybersecurity posture;
2) Describe their target state for cybersecurity;
3) Identify and prioritize opportunities for
improvement within the context of a continuous and
repeatable process;
4) Assess progress toward the target state;
5) Communicate among internal and external
stakeholders about cybersecurity risk.
14
NIST Cybersecurity Framework
•
Three parts:
o
o
o
•
The Framework Core
The Framework Profile
The Framework Implementation Tiers
Framework Core
-
A set of activities, outcomes, and informative
references
Providing the detailed guidance for developing
individual organizational Profiles
15
Framework Core
•
Five concurrent and continuous Functions
— Identify
— Protect
— Detect
— Respond
— Recover
•
(Altogether) the functions provide a high-level, strategic
view of the lifecycle of an organization’s management of
cybersecurity risk.
16
•
•
Functions organize basic cybersecurity activities at their
highest level.
Categories are the subdivisions of a Function into groups
of cybersecurity outcomes closely tied to programmatic
needs and particular activities.
o
Example Categories: “Asset Management,” “Access Control,”
“Detection Processes.”
17
18
Framework Profile
•
Represents the outcomes based on business
needs that an organization has selected from the
Framework Categories and Subcategories
•
Aligning standards, guidelines, and practices to
the Framework Core in a particular
implementation scenario
•
“Current” profile  “Target” profile
•
Comparison of Profiles may reveal gaps to be
addressed to meet cybersecurity risk
management objectives.
19
Framework Profile
•
The Framework document does not prescribe
Profile templates, allowing for flexibility in
implementation.
•
Example profiles can be found:
http://www.nist.gov/itl/upload/discussion-draft_illustrativeexamples-082813.pdf
Example Profiles for Threat Mitigation:
1. Mitigating intrusions
2. Mitigating malware
3. Mitigating insider threats
20
21
22
23
24
Coordination of Framework Implementation
25
Implementation Tiers
• Describe the degree to which an organization’s cybersecurity
risk management practices exhibit the characteristics defined
in the Framework.
• Characterize an organization’s practices over a range
– from Partial (Tier 1) to Adaptive (Tier 4)
• Partial: risks are managed in an ad hoc manner
• Risk Informed: Risk management practices are approved by
management but may not be established as organizational-wide
policy.
• Repeatable: Risk management practices are formally approved and
expressed as policy.
• Adaptive: The organization adapts its cybersecurity practices based on
lessons learned and predictive indicators derived from previous and
current cybersecurity activities.
– Reflect a progression from informal, reactive responses to
approaches that are agile and risk-informed.
26
Outline
• A bunch of questions about cybersecurity frameworks
• What is a cybersecurity framework?
• The NIST Cybersecurity Framework
 Use and Implications of the CSF
• Discussions
27
•
Rodney Brown, Cyber-Security Standards for Major Infrastructure,
InformationWeek::reports, Jan. 2014.
“In a March 12 (2014) instruction (8501.01), DoD Chief Information
Officer Teri Takai said that starting that same day, defense and military
systems will henceforth go through the risk management framework
outlined by the National Institute of Standards and Technology rather
than through the now-defunct DoD Information Assurance
Certification and Accreditation Process (DIACAP).”
28
Use and Implications of the CSF
•
Rodney Brown, Cyber-Security Standards for Major Infrastructure,
InformationWeek::reports, Jan. 2014.
“The Cybersecurity Framework is likely to become the liability floor,
much like Sarbanes-Oxley has become.”
• Jon W. Burd, Cybersecurity Developments: Does the NIST “Voluntary”
Framework Portend New Requirements for Contractors? Fall 2013
| Government Contracts Issue Update, Wiley Rein, LLP.
“The framework is intended to complement existing business and
cybersecurity operations for organizations with formal existing plans
and policies, or to serve as a template for organizations that create new
programs.”
“For government contractors, in particular, one “incentive” agencies
could adopt—either through formal rulemaking or on an ad hoc
basis—is a preference for framework participants in competitions for
federal information technology (IT) or cyber-related contracts.”
29
•
Earl Perkins, NIST Framework Establishes Risk Basics for Critical
Infrastructure, Gartner.com, Feb. 18, 2014.
https://www.gartner.com/doc/2667132/nist-framework-establishes-risk-basics
“The Framework for Critical Infrastructure is a useful tool for
managing cybersecurity risk, but will not replace risk management
programs.”
“The CSF is not designed to replace large-scale cybersecurity risk
programs or existing operational frameworks such as COBIT or ISO
2700x.”
“The CSF serves as taxonomy for risk management of critical
infrastructure in a cybersecurity context.”
“The CSF is an absolute minimum of guidance for new or existing
cybersecurity risk programs, and is a legal framework for aligning IT to
OT security.”
“The core, tiers and profile elements address combined cybersecurity
risks for IT/OT by providing a single approach — one Gartner believes
is urgently needed. ”
30
Gartner Recommendations
Enterprises:
• Use the CSF as a legal framework to map your IT/OT risks.
• Avoid making long-term procurement- or compliance-based decisions
from the CSF's guidance in its current state as it is missing key
components.
• Continue to apply standards that are well-accepted by your respective
industries.
Critical infrastructure companies with existing cybersecurity risk
programs:
• Use the CSF to validate program completeness.
Enterprises with nascent cybersecurity risk management programs:
• Use the CSF as a starting point for cybersecurity risk planning, as a
self-assessment tool and as a reference to weigh consulting offerings.
Companies with considerable IT/OT assets:
• Use the CSF as an aid to align and integrate cybersecurity risk
management across corporate and industrial control/automation
requirements.
31
• U.S. Department of Energy, Use of the NIST Cybersecurity
Framework & DOE C2M2, Feb. 2014.
http://energy.gov/sites/prod/files/2014/02/f7/Use-of-NIST-Cybersecurity-Framework-DOEC2M2.pdf
32
ENERGY SECTOR CYBERSECURITY FRAMEWORK
IMPLEMENTATION GUIDANCE - DRAFT FOR PUBLIC COMMENT &
COMMENT SUBMISSION FORM (SEPTEMBER 2014)
http://energy.gov/oe/downloads/energy-sector-cybersecurityframework-implementation-guidance-draft-public-comment
“This Framework Implementation Guidance is designed to assist
energy sector organizations to:
• Characterize their current and target cybersecurity posture.
• Identify gaps in their existing cybersecurity risk management
programs, using the Framework as a guide, and identify areas
where current practices may exceed the Framework.
• Recognize that existing sector tools, standards, and guidelines may
support Framework implementation.
• Effectively demonstrate and communicate their risk management
approach and use of the Framework to both internal and external
stakeholders.”
33
Outline
• A bunch of questions about cybersecurity frameworks
• What is a cybersecurity framework?
• The NIST Cybersecurity Framework
• Use and Implications of the CSF
 Discussions
34
Review Questions
- What is a cybersecurity framework?
- Why do we need a framework?
- Will adopting a framework reduce the organization’s
IT security risk?
- Will adopting a framework provide sufficient security
to the organization?
35
Richard Stiennon, Floundering Frameworks: NIST as a Case in
Point, SecurityCurrent, Oct. 24, 2013:
http://www.securitycurrent.com/en/writers/richard-stiennon/flounderingframeworks-nist-as-a-case-in-point
“When the NIST Cybersecurity Framework is
completed it will, at best, become shelfware. At
worst, Congress will eventually create a law requiring
critical infrastructure operators to implement the
Framework. Thanks to strong lobbying on the part of
the regulated, the law will provide funding for
implementation of the Framework, funding that will
fill the pockets of audit firms and consultants. At the
end of the day the risk of a debilitating cyber attack
will have been reduced by exactly zero.”
36
NIST Roadmap for Improving Critical Infrastructure
Cybersecurity February 12, 2014
• Strengthening Private Sector Involvement in Future
Governance of the Framework
• Section 4: Areas for Development, Alignment, and
Collaboration
4.1 Authentication
4.2 Automated indicator sharing
4.3 Conformity assessment
4.4 Cybersecurity workforce
4.5 Data analytics
4.6 Federal agency cybersecurity alignment
4.7 International aspects, impacts, and alignment
4.8 Supply chain risk management
4.9 Technical privacy standards
37
Thanks!
Questions ?
Andrew Yang
Yang@UHCL.edu
http://www.uhcl.edu/sce/csi
38