Cybersecurity Ventures predicts cybercrime will cost the world in excess of $6 trillion annually by 2021, up from $3 trillion in 2015. The NIST Framework for Improving Critical Infrastructure Cybersecurity, commonly referred to as the NIST Cybersecurity Framework (CSF), provides private sector organizations with a structure for assessing and improving their ability to prevent, detect and respond to cyber incidents. The U.S. Commerce Department’s National Institute of Standards and Technology (NIST) issed in February 2014 Cybersecurity Framework version 1.0 , more widely known as the Cybersecurity Framework. NIST released version 1.1 of its popular Framework for Improving Critical Infrastructure Cybersecurity in April 2018
“Cybersecurity is critical for national and economic security,” said Secretary of Commerce Wilbur Ross. “The voluntary NIST Cybersecurity Framework should be every company’s first line of defense. Adopting version 1.1 is a must do for all CEO’s.” The framework was developed with a focus on industries vital to national and economic security, including energy, banking, communications and the defense industrial base. It has since proven flexible enough to be adopted voluntarily by large and small companies and organizations across all industry sectors, as well as by federal, state and local governments.
NIST described it as a voluntary “risk-based approach to managing cybersecurity risk” for organizations of all shapes and sizes. The resulting NIST Framework, created through collaboration between government and the private sector, uses a common language to address and manage cybersecurity risk in a cost-effective way based on business needs without placing additional regulatory requirements on businesses. The Framework enables organizations, regardless of size, degree of cybersecurity risk, or cybersecurity sophistication to apply the principles and best practices of risk management to improving the security and resilience of critical infrastructure.
“The odds of getting struck by lightning are 1 in 960 000, while the odds of dating a millionaire are 1 in 220 people, but the odds of experiencing a data breach are one in four people. And experiencing a cyber breach is not a matter of ‘if’, it’s a matter of ‘when’. “Cyber security threats exploit the increased complexity and connectivity of critical infrastructure systems, placing an organisation at risk. Similar to financial and reputational risk, cyber security risks affect a company’s bottom line, driving up costs and impacting revenue,” Brett Skinner, security sales manager at Micro Focus SA, speaking at the ITWeb Security Summit 2019 in Sandton, in May 2019 pointed out.
Discussing effective breach defence strategies and the advantages of basing an organisation’s enterprise security strategy on a broader framework, Skinner explained that security frameworks provide a common lexicon to consider internally, helping to safeguard the use of critical infrastructure, while limiting the chances of a security breach. The NIST framework consists of standards, guidelines, and best practices to manage cyber security threats, which exploit the increased complexity and connectivity of critical infrastructure systems,” explained Skinner. “A solid cyber security framework helps organisations to validate the controls and processes already in place, and identify which areas require more investing to improve security, technology, people or processes.
In the handful of years since the NIST Cybersecurity Framework (CSF) was developed, it’s been widely modeled in the US and by many other countries and organizations internationally. According to Gartner, more than 50 percent of U.S.-based organizations will use the NIST Cybersecurity Framework as a central component of their enterprise risk management strategy by 2020, up from 30 percent in 2015.
The Framework consists of three parts: The Framework Core, the Framework Profile, and the Framework Implementation Tiers.
The Framework organizes security around a“Core,” consisting of five key elements – identify, protect, detect, respond and recover – that represent the high-level activities that help organizations make sound decisions around risk/threat management and forward improvement.
Implementation tiers describe the degree to which an organization’s cybersecurity risk management practices exhibit the characteristics defined in the Framework, over a range from Partial (Tier 1) to Adaptive (Tier 4).
Profile is a customization of the Core for a given sector, subsector, or organization. It aligns industry standards and best practices to the Framework Core in a particular implementation scenario. Through use of the Profiles, the Framework will help the organization align its cybersecurity activities with its business requirements, risk tolerances, and resources.
The Framework Functions
Each of the framework’s five functions represents a key pillar of a successful and end-to-end cybersecurity program. They aid organizations in easily expressing their management of cybersecurity risk at a high-level and enable risk management decision-making. The NIST CSF is organized into five core Functions also known as the Framework Core. The functions are organized concurrently with one another to represent a security lifecycle. Each function is essential to a well-operating security posture and successful management of cybersecurity risk.
“Firstly organisations must identify what type of business they’re in, and where things lie within the business units. How important is your data and what exactly is at risk? Protection is about protecting your point products, which can be done in various ways such as identity management technologies, access management technologies or other type of security technologies.”
Detection is about making sure you are doing all the right things, by using a monitoring platform to detect anomalies and events. Response takes place once the organisation has identified an issue or a breach. Lastly the recovery phase is about how we communicate – response planning, analysis of the situation, mitigation and future improvements.”
In a case security breach incident, Skinner stressed the importance of notifying affected parties. In terms of limiting the impact of a security breach, he noted the value of understanding the current state of the organisation, which allows for better planning and prioritisation.
“Assessing where the risks are in the environment, seeking out and eliminating vulnerabilities, keep everything patched and updated. This doesn’t just apply to operating systems but also applications, databases and other systems. “From a solution perspective, application security is of utmost importance – this includes scanning code for vulnerabilities that may be introduced as well as service and endpoint management,” concluded Skinner.
The step that jumpstarts cybersecurity practice, identify, assists businesses in developing an organizational understanding of how to manage cybersecurity risks and how that apply to systems, people, assets, data and capabilities. Understanding the context of how security affects business enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business objectives.
Outcomes facilitated within the identify function include:
- Identifying physical and software assets within the organization to establish an asset management program
- Identifying the business environment, the organization supports including the organization’s role in the supply chain, and the organization’s place within the critical infrastructure sector
- Identifying existing cybersecurity policies within the organization to define a governance program and identifying legal and regulatory requirements regarding the cybersecurity capabilities of the organization
- Identifying asset vulnerabilities, threats to internal and external organizational resources and risk response activities as a basis for the organization’s risk assessment
- Identifying a risk management strategy for the organization including establishing risk tolerances
- Identifying a supply chain risk management strategy including priorities, constraints, risk tolerances and assumptions used to support risk decisions associated with managing supply chain risks
The second function, protect, outlines the appropriate safeguards required to deliver critical infrastructure services. This function supports a business’s ability to limit or contain a potential cybersecurity event.
Examples of outcomes fostered through the protect function include:
- Protections for identity management and access control within the organization for both physical and remote access
- Empowering staff within the organization through awareness and training, including role-based and privileged user training
- Establishing data security protection consistent with the organization’s risk strategy to protect the confidentiality, integrity and availability of information
- Implementing information protection procedures to maintain and manage information systems and assets
Protecting organization resources through maintenance
- Managing protective technology to ensure the security and resilience of systems and assists are consistent with organizational policies, procedures and agreements
The detect function defines activities to identify the occurrence of a cybersecurity event and enables timely discovery of such events.
Examples of outcomes established within the detect function include:
- Ensuring anomalies and events are detected and their potential impact is understood
- Implementing security continuous monitoring capabilities to track cybersecurity events and verify the effectiveness of protective measures
- Maintaining detection processes to provide awareness of potential threats
The respond function establishes the appropriate actions regarding a detected cybersecurity incident and supports a business’s ability to contain its impact.
Outcomes established through the respond function include:
- Ensuring response planning processes are executed during and after an incident
- Managing communications during and after an event with stakeholders, law enforcement and external stakeholders as appropriate
- Analysis is conducted to ensure effective event response and to support recovery activities including forensic analysis and determining the impact of incidents
- Mitigation activities are performed to prevent expansion of an event and to resolve the incident
- The organization implements Improvements by incorporating lessons learned from current and previous detection/response activities
Lastly, the recover component helps identify the appropriate actions required to maintain plans for security resilience and to restore any capabilities that may have been impaired due to a cybersecurity event. This final function supports timely recovery to normal operations and ensures a reduced impact from potential events.
Examples of outcomes within the recover function include:
- Ensuring the organization implements recovery planning processes and procedures to restore systems and/or assets affected by cybersecurity incidents
- Implementing improvements based on lessons learned and reviews of existing strategies
- Internal and external communications are coordinated during and following the recovery from a cybersecurity incident
These functions are comprehensively broken down into 22 categories and 98 subcategories, which are mapped to various informative references. Each function maps to key categories of desired outcomes (e.g., “Asset Management,” “Access Control”). Each category then expands to a series of more specific outcomes and technical/management activities that are, in turn, tied to dozens of “informative references,” such as ISO/IEC, ISA and COBIT, which are well established implementation standards. The Framework doesn’t include specific practices or requirements. Instead, it’s meant to facilitate an iterative process that involves “detecting risks and constantly adjusting one’s security program and defenses.”
The Framework Core is a set of cybersecurity activities, outcomes, and informative references that are common across critical infrastructure sectors, providing the detailed guidance for developing individual organizational Profiles. It enables communication of cyber risk across an organization.
Framework Implementation Tiers
The Tiers provide a mechanism for organizations to view and understand the characteristics of their approach to managing cybersecurity risk. Organizations evaluating their performance of a particular core category or sub-category can equate it with one four implementations “tiers,” ranging from Partial (Tier 1) to Adaptive (Tier 4), with each Tier building on the previous Tier. This is frequently — but unofficially — viewed as a framework maturity assessment.
A “profile” comprises the tier rankings across all categories and reflects a particular state of cybersecurity risk management. For example, a “current profile” reflects the current tier rankings. An organization can prioritize key areas for improvement and set out to achieve “target” profile represented by a higher tier ranking in those areas.
Outcomes of implementation are:
- A clear and consistent assessment process. The Framework Core and accompanying questions will help you achieve a better understanding of the five concurrent and continuous functions, and provide you with a strategic view of your organization’s management of cybersecurity risk.
- A context on the maturity of your cyber risk management. Framework implementation tiers include partial, risk informed, repeatable, and adaptive.
- A cybersecurity risk road map. The Framework profile provides a mechanism for organizations to describe their current state, target state, gaps, and resource requirements.
FTC Makes Clear that NIST Cyber Framework is Not a Cure-All
As the Federal Trade Commission ( FTC ) notes, the NIST Framework “is not, and isn’t intended to be, a standard or checklist.” The Framework provides guidance on process. It does not proscribe the specific practices that must be implemented. Most importantly, the FTC correctly observes that there is “no one-size-fits-all approach,” nor the possibility of achieving “perfect security.” Put simply, the framework is just that: a framework for understanding the current state of an organization’s cybersecurity program and preparing a risk-based approach to improving maturity.
The FTC blog post reiterates, yet again, that there is no magic bullet to establish adequate data security. Ultimately, what is required is careful, detail-oriented design, implementation, and enforcement of sound policies and practices to mitigate both the impact of cybersecurity incidents and of serious regulatory scrutiny.
NIST Framework 1.1
“The release of the Cybersecurity Framework Version 1.1 is a significant advance that truly reflects the success of the public-private model for addressing cybersecurity challenges,” said Under Secretary of Commerce for Standards and Technology and NIST Director Walter G. Copan. “From the very beginning, the Cybersecurity Framework has been a collaborative effort involving stakeholders from government, industry and academia. The impact of their work is evident in the widespread adoption of the framework by organizations across the United States, as well as internationally.”
Version 1.1 includes updates on: authentication and identity, self-assessing cybersecurity risk, managing cybersecurity within the supply chain and vulnerability disclosure. This update refines, clarifies and enhances Version 1.0,” said Matt Barrett, program manager for the Cybersecurity Framework. “It is still flexible to meet an individual organization’s business or mission needs, and applies to a wide range of technology environments such as information technology, industrial control systems and the Internet of Things.”