In February 2014 the U.S. National Institute of Standards and Technology (NIST) released the first version of a Framework for Improving Critical Infrastructure Cybersecurity (“The Framework”). It was developed over a period of a year as part of the response to U.S. Executive Order 13636 (Improving Critical Infrastructure Cybersecurity). NIST hosted a series of five workshops between April and November 2013 to collect input and guidance from a broad cross section of stakeholders. This information was used to shape the initial version.
Since its release, the framework has gained increased attention and adoption in a variety of sectors, industries and applications. End user organizations, suppliers and and consultants have used it to assess the current level of cybersecurity and establish a plan for improving or maintaining performance in this area. To support these efforts, NIST has also developed and released several other tools associated with the framework to aid in its implementation. Examples include a data-based Reference Tool, a spreadsheet version of the framework, and records from the various workshops conducted during the development of the Framework.
The structure of the framework consists of three principal elements:
- the Core
- the Profile
- the Implementation Tiers
Each of these elements has a specific purpose. The Core is a set of cybersecurity activities, outcomes, and informative references that are common across critical infrastructure sectors. These provide the detailed guidance for developing individual organizational Profiles. Profiles help the organization align its cybersecurity activities with its business requirements, risk tolerances, and resources, and Tiers provide a mechanism for organizations to view and understand the characteristics of their approach to managing cybersecurity risk.
Profiles are intended both to help identify opportunities for improving cybersecurity, and to provide a basis for comparison to prioritize process improvement activities. They describe the current and desired future states, and identify specific gaps to be addressed. Responses to these gaps become the basis for an action plan.
Profiles and Gap Assessment
NIST has encouraged organizations to develop their own custom profiles. However, it may not be obvious what such a profile would or should include, or the format that it should take. NIST recently released a draft Manufacturing Profile that addresses the desired cybersecurity outcomes for manufacturing systems and provides an approach for achieving those outcomes. It focuses on how cybersecurity can support typical manufacturing business objectives and is aligned with industry best practices, including NIST Special Publication 800-82 Guide to Industrial Control System Security.
The manufacturing profile defines specific cybersecurity activities and outcomes for protecting the manufacturing system, its components, facility, and environment. It provides a voluntary, risk-based approach for managing cybersecurity activities and reducing cyber risk to manufacturing systems. Organizations can also use it to express the desired state as well as assess current state. The Manufacturing Profile is meant to enhance but not replace current cybersecurity standards and industry guidelines used by manufacturers.
In addition to being a useful tool for the manufacturing sector, the profile can also serve as a starting point for similar profiles in other sectors, industries, or even individual companies. While profiles developed by companies may necessarily remain private or proprietary, those developed at the sector level will hopefully become more broadly available.
For example, the United States Coast Guard (USCG) and industry representatives joined with the National Cybersecurity Center of Excellence (NCCoE) – part of the National Institute of Standards and Technology (NIST) – to improve the safety of transferring hazardous liquids at U.S. ports.
As more illustrative examples become available, we presume that it will become progressively easier to develop similar profiles for specific applications.