On October 23, 2013, the National Institute for Standards and Technology (NIST) issued for public comment its Preliminary Cybersecurity Framework.  As we have reported in blog posts in the past [White House and DHS Float Incentives for Adopting Cybersecurity Framework, The Cybersecurity Executive Order’s Effect on the Electric Industry, President Obama Issues Executive Order — Improving Critical Infrastructure Cybersecurity], this framework document was issued pursuant to President Obama’s Executive Order 13636, which required the federal agencies to develop a voluntary program for protecting the cybersecurity of the nation’s critical assets.  The Preliminary Cybersecurity Framework was the product of several months of workshops and other outreach activity by NIST, and it was due to be posted on October 10, 2013, but was delayed due to the federal government shutdown.  NIST will open a 45-day public comment period on the Preliminary Cybersecurity Framework in the coming days.

Overall, the Framework is a risk-based approach to assessing existing cybersecurity controls and identifying gaps. At its core are five broad categories of controls based on those that are designed to identify risks, to protect critical infrastructure, to detect the occurrence of a cybersecurity event, to respond to a detected cybersecurity event, and to recover from a cybersecurity event.  By mapping its controls to these core functions, an organization with critical infrastructure can develop a profile of its internal controls to identify their strengths and also identify any gaps.  Based on an assessment of that profile, an organization can identify whether its cybersecurity program falls within one of four “implementation tiers”: partial, risk-informed, risk-informed and repeatable and adaptive.

As a diagnostic tool, the Preliminary Cybersecurity Framework lives up to NIST’s major promises.  It is flexible enough to apply to critical infrastructure in many different industries with varying degrees of experience in cybersecurity.  As NIST states:

Within the critical infrastructure, organizations vary widely in their business models, resources, risk tolerance, approaches to risk management, and effects on security, national economic security, and national public health and safety.  Because of these differences, the Framework is risk-based to provide flexible implementation.

NIST also states that the flexibility of the Framework will benefit efforts to enhance cybersecurity within organizations:

The Framework is designed to complement existing business and cybersecurity operations.  It can serve as the foundation for a new cybersecurity program or a mechanism for improving an existing program. The Framework provides a means of expressing cybersecurity requirements to business partners and customers and can help identify gaps in an organization’s cybersecurity practices.

With that said, the NIST framework leaves something to be desired when it comes to outlining substantive requirements that critical infrastructure owners must or should follow to protect against cybersecurity events.  In Appendix C of the Framework, NIST identifies “several high-priority Areas of Improvement” and notes that these Areas of Improvement “should be addressed through future collaboration with particular sectors and standards-developing organizations.”  Among these areas of improvement are authentication; automated indicator sharing; conformity assessment; cybersecurity workforce; data analytics; international aspects, impacts, and alignment; privacy standards; and supply chain risk management.  Other than providing a high level overview of these issues, the Framework does not outline the steps NIST or other federal agencies should take to address them, nor does the Framework spell out an approach to resolving these Areas of Improvement in a way that would lead to actionable guidance to the various critical infrastructure industries.

Moreover, other than listing out generally accepted standards and practices, and categorizing them based on the core functions (identify, protect, detect, respond and recover), the Framework does little to assess differences among standards and practices.  Appendix A of the Framework lists out more than 50 “informative references” written by diverse organizations as the Council on Cyber Security, NIST, the International Society of Automation, the International Organization for Standardization, and many others.  Although NIST claims that “the Framework uses risk management process to enable organizations to inform and prioritize decisions regarding cybersecurity” (emphasis added), the Framework does not provide direction as to how the guidance in each of these many informative references should be implemented, how discrepancies among these informative references should be resolved, and how gaps between these various informative references can be managed.

The importance of determining how to prioritize cybersecurity-related decisions is no more pronounced than in the electric industry, which has been operating under mandatory reliability standards related to cybersecurity and critical infrastructure protection (CIP) for more than five years.  The electric industry’s compliance with these reliability standards is enforced by NERC.  In earlier stages of NIST’s framework development activity, NIST posted an example of how the Framework could be applied with respect to industrial control systems in the electric industry, and in this example, the NERC CIP standards are listed out as one among many informative references  in each of the core functions.  Given that the electric industry has taken several years to interpret, understand and “operationalize” the NERC CIP standards, the prospects of prioritizing them among a plethora of other informative references would seem daunting.

Those in the electric industry and other critical infrastructure industries may seek comfort in the fact that the NIST’s Cybersecurity Framework is supposed to be a voluntary program, but there remain concerns about exactly how voluntary this program will be.  Even if a company chooses not to utilize the Cybersecurity Framework, the company runs the risk that a court may rely on the framework to assess how well a company responds to a cybersecurity event, if such an event leads to litigation.  Further, President Obama’s Executive Order 13636 called for the “establishment of a set of incentives designed to promote participation in the Program,” so the Departments of Homeland Security, Commerce, and Treasury have worked together to identify potential incentives and provided their recommendations to the President  As we previously reported on the blog, the Department of Homeland Security has floated a list of incentives including the availability of cybersecurity insurance and/or liability limitations.  These incentives will require further development, and at the present time it is not clear which of these proposed incentives will be available, if any, in each of the critical infrastructure industries.