Managing risk and adopting a risk-based approach to cybersecurity is increasingly necessary in the age of convergence. We’re already seeing a proliferation of risk-based services and approaches to cyber insurance, engineering, and design throughout the industrial and critical infrastructure segments. So, how do we use risk assessments to craft cybersecurity policy for the operational technology (OT) domain? NIST Cybersecurity Framework provides guidance for Manufacturing.
Time to Consider the NIST Cybersecurity Framework for Manufacturing
The National Institute of Standards and Technology (NIST) has received considerable recognition over the past few years for developing the NIST Cybersecurity Framework (CSF), which is now widely used as the basis for establishing effective security management systems. NIST recently released version 1.1 of its Framework for Improving Critical Infrastructure Cybersecurity. While this falls short of being a fully constructed risk management model for cybersecurity, the new framework does contain much expanded guidance on the element of risk in cybersecurity.
Version 1.1 of NIST Cybersecurity Framework
The US Commerce Department’s National Institute of Standards and Technology (NIST) recently released version 1.1 of its Framework for Improving Critical Infrastructure Cybersecurity, widely known as the Cybersecurity Framework. US Secretary of Commerce, Wilbur Ross, made an appeal to C-level management at all companies in the US to use the framework as the first line in their overall cyber-defense strategy. The framework was originally developed to address industries deemed vital to US national and economic security, including energy, banking, communications and the defense industrial base. It has since proven flexible enough to be adopted voluntarily by large and small companies and organizations across all industry sectors, as well as by federal, state, and local governments.
Increased Focus on Risk Management
Risk management is at the forefront of this new release. NIST hinted at this at the recent ARC Industry Forum in Orlando, where NIST Project Manager of Cybersecurity for Smart Manufacturing Systems, Keith Stouffer, hinted at methods, metrics, and tools to enable manufacturers to assess the cyber risk to their systems quantitatively. ARC is already seeing increased use of risk-based approaches to cybersecurity that borrow heavily from the HAZOP and risk matrix concepts in process safety. This NIST Framework stops short of being an actual model for cybersecurity risk management, but other available resources do that well, including the IEC 62443-3-2 cybersecurity standard.
Version 1.1 of the NIST Framework includes updates on authentication and identity, self-assessing cybersecurity risk, managing cybersecurity within the supply chain, and vulnerability disclosure. NIST based the changes to the framework on feedback collected through public calls for comments, questions received by team members, and workshops held in 2016 and 2017. Two drafts of Version 1.1 were circulated for public comment to help NIST address stakeholder inputs comprehensively. A new section 4.0, called Self-Assessing Cybersecurity Risk, explains how the framework can be used by organizations to understand and assess their cybersecurity risk, including the use of measurements.
An expanded Section 3.3, Communicating Cybersecurity Requirements with Stakeholders, helps users better understand Cyber Supply Chain Risk Management (SCRM). A new Section 3.4, Buying Decisions, highlights use of the framework to understand risk associated with commercial off-the-shelf products and services. Additional SCRM criteria were added to the implementation tiers. Finally, a Supply Chain Risk Management Category, including multiple subcategories, has been added to the framework core.
Later this year, NIST plans to release an updated companion document, the Roadmap for Improving Critical Infrastructure Cybersecurity, which describes key areas of development, alignment, and collaboration. NIST is also hosting a Cybersecurity Risk Management Conference, November 7 through 9, 2018, in Baltimore, Maryland. The conference will include a major focus on the framework.
NIST provides a lot of good resources beyond the framework document. A NIST guide to managing risk in information security, for example, outlines some of the fundamentals and NIST’s overall approach to risk management. NIST’s Guide For Conducting Risk Assessments provides guidance on various types of risk models and approaches to doing risk assessments. However, none of these documents provide a risk model that encompasses both IT and OT for critical infrastructure or manufacturing industries.
Managing risk and adopting a risk-based approach to cybersecurity is increasingly necessary in the age of convergence. There is already a proliferation of risk-based services and risk-based approaches to cyber insurance, engineering, and design through the industrial and critical infrastructure segments. While many companies have their own methodologies for assessing risk, very few seem to focus specifically on manufacturing, infrastructure, or smart cities.
A wide range of companies and organizations are converging on this space. These include engineering service providers, process safety lifecycle management suppliers, cyber insurance companies, consulting companies, Big Data and analytics software suppliers, standards bodies, and government regulators. No single standard or model exists for measuring risk as it relates to cybersecurity in industrial organizations. Cyber insurance companies are either developing their own methodologies or using partners that have their own models, scoring systems, and evaluation capabilities.
ARC will continue to monitor and analyze the many developments in the cybersecurity risk-related space. For more about Cybersecurity, please visit our Cybersecurity Viewpoints blog site