Data breaches are a major cyber risk that can instantaneously affect a companys bottom line in more ways than one which is why it is imperative to find comprehensive cyber security solutions to ensure that your business is safe. They can drive up costs via increased compliance-related fines and impact revenues due to the decrease in consumer trust in the organizations products or services as a result of the cyber attacks. If a data breach is large enough, it can cripple a companys critical infrastructure to the point that they cannot come back from. To combat these instances of cyber infrastructure threats, President Barack Obama signed Executive Order 13636 for Improving Critical Infrastructure Cybersecurity, on February 12, 2013. This Executive Order established a U.S. Policy that focuses on the enhancement of the Nations critical infrastructure through the maintenance of public and private cyber environments.
These outlined efforts were enacted to encourage efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties as cybersecurity standards for every organization. Once Executive Order 13636 was signed, a voluntary risk-based Cybersecurity Framework was established to guide organizations to better manage potential cybersecurity risks. The Framework that was originally published in Version 1.0 in 2014 was from The National Institute of Standards and Technology (NIST) after many months of collaboration between government and the private sector authorities. Lets take a closer look into the NIST Cybersecurity Framework (CSF), how to implement the NIST Cybersecurity Framework, and how it all is being used to combat future cybersecurity threats to critical infrastructure components.
Cybersecurity NIST framework
The National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) is a three-part, risk-based approach to cyber risk management. Those who use the NIST CSF often refer to it simply as the Framework. According to NIST, there are no laws present that require organizations to use the Framework, but this doesnt mean that others wont expect you to use it as a vendor. In fact, there are some organizations that require vendors and some regulators to use the Framework and strongly encourage the use of the Framework. In these situations, if youre a vendor not using the Framework, these companies that strongly encourage its implementation might not renew their contract(s) with you as they may consider your operations to be riskier than others.
What makes the Framework as coveted as it is by some organization is that it provides the necessary guidance, guidelines, and practices that allow organizations to better manage and reduce cybersecurity risk in their critical infrastructure. The Framework shouldnt be utilized as a checklist, but rather an overall information risk management program. The Framework is comprised of three parts: the Framework Core, the Framework Implementation Tiers, and the Framework Profiles. Lets cover these frameworks in the subheadings below:
Functions | Explanation |
Identify |
Identify where threatened and non-threatened application data intersects is the key to effective and efficient security. All elements that need to be protected should be identified and documented which then provides a solid foundation for the other functions. |
Protect |
Draft and implement appropriate safeguards that will ensure the delivery of critical services in the event of a cyberattack. This helps to limit the potential disruption of a data breach and allow core activities to continue as planned. |
Detect |
The IT security team must put in place tools and processes that will allow the organization to rapidly detect and identify a cyberattack once one has commenced. This involves the deployment of monitoring tools that can alert staff should an anomalous event take place or unusual network activity be noticed. |
Respond |
Develop a thorough list of steps to be carried out in the event of a cybersecurity incident to minimize the impact on the business and other stakeholders. |
Recover |
Develop and implement appropriate measures to ensure the organization can return to normal operations as quickly as possible following an incident. |
Framework Core
The Framework Core provides a common baseline of cybersecurity activities that is also aligned to the common cybersecurity functions of threat identification, protection mechanisms, threat detection, incident response, and incident recovery. The core is designed to be an intuitive buffer that allows for communication between multidisciplinary teams via five high level functions: Identify, Protect, Detect, Respond, and Recover. These functions and an explanation for their uses is outlined in the table below:
Framework Implementation Tiers
Framework Implementation Tiers characterize an organizations practices from Partial (Tier 1) to Adaptive (Tier 4). Each Tier provides context into how an organization views cybersecurity risk(s) and the processes that they have in place to manage said risk(s). Each Tier describes how integrated cybersecurity risk decisions are into broader risk decisions and the degree to which the organization shares and receives cybersecurity info from external parties. Higher tiers represent a higher degree of sophistication and maturity in the management of cybersecurity risks and responses. Even at a higher tier, organizations should also consider their current risk management practices, threat environment, legal and regulatory requirements, business/mission objectives, and organizational constraints. For more information related to each of the four tiers in the Framework, peruse the below table:
Tier | Name | Explanation |
1 | Partial |
Informal practices; limited awareness; no cybersecurity coordination |
2 | Risk Informed |
Management approved processes and prioritization, but not deployed organization-wide; high-level awareness exists, adequate resources provided; informal sharing and coordination |
3 | Repeatable |
Formal policy defines risk management practices processes, with regular reviews and updates; organization-wide approach to manage cybersecurity risk, with implemented processes; regular formalized coordination |
4 | Adaptive |
Practices actively adapt based on lessons learned and predictive indicators; cybersecurity implemented and part of culture organization-wide; active risk management and information sharing. |
Framework Profile
The Framework Profile is meant to document the status of an organization or new program, in an objective fashion. The Profile is essentially a snapshot of an organizations prescribed and implemented controls. This snapshot is compared to the objective framework to identify any gaps, and the gaps then drive plans to address any deficiencies in the program. The objective statuses that are derived from the snapshot assessment are based on business needs that an organization has selected from the Framework. Through aligning standards, guidelines, and practices from the Framework Core, the Profile can be optimized improve the organizations cybersecurity posture.
Implementing Cybersecurity NIST framework
Although the NIST framework is seen by many as an industry best practice, many of the organizations that adopt the Framework say that completing implementation carries with it a massive investment. These organizations are adamant that the required major investment necessary to fully implement the Framework is hampering their full adoption of it. While 70% of organizations view the Framework as a best practice, nearly 50% of companies explained that the high level of investment that it requires is a barrier to its widespread adoption.
NIST’s goal with the creation of the CSF is to help eliminate the utterly fragmented cybersecurity landscape we find ourselves in, and it couldn’t matter more at this point in the history of the digital world. Because of this, organizations are searching for NIST solutions more frequently than ever. The Framework helps organizations understand, structure, manage, and reduce cybersecurity risks. It assists in identifying the most important activities to assure critical operations and service delivery, helps prioritize investments, and provides a common language that all members of the organization can utilize for cybersecurity and risk management.
Each organization and industry will have to identify their special themes and topics within the Framework that they would like to utilize. Thankfully, most topics covered under the Framework are common to all sectors of industry. Here are some best practices for implementing the Framework in your organization:
- Adoption of the Framework requires the input and consideration of various people within the organization and cannot be effectively implemented by one person or small group.
- Just as any IT systems program your organization has, adoption of the Framework requires ongoing maintenance. This isnt something that your company just sets and forgets. It needs to be assessed and updated regularly. How often you assess and update your processes is completely up to your organization and how much you prioritize risk management.
- Adopting the Framework to control your digital environment just for the sake of having more control is not advised. Maintaining control should be a byproduct to the main goal of achieving a less risky environment through the adoption of the Framework.
- Just as Information Security (InfoSec) is not a one-size-fits-all discipline, either is implementation of the Framework. Your organization can adopt the framework in a means that is as simple or complex as you desire.
Organizations without an existing cybersecurity program can use the Framework as a model to establish one. Establishing the Framework in your organization can be developed through a high-level strategy for meeting the function objective. The steps that your organization takes to implement the Framework will vary based on your organizations complexity and the industry laws and regulations that occupy your country. For instance, a startup might have a different mentality and objective in adopting the Framework than a global Fortune 500 company might. Thankfully, the Framework is easy to adopt and mold to fit the needs of an organization no matter where they are in their respective journeys.
Preventing Future Cyber Threats
From the very beginning, the Cybersecurity Framework has been a collaborative effort involving stakeholders from government, industry and academia. The Framework received an update in 2016 that included updating the informative references, clarifying guidance for implementation tiers, and placement of cyber threat intelligence in the Core Framework. In early 2018, the Framework was updated once more with the roll out of Version 1.1 that included updates on authentication and identity, self-assessing cybersecurity risk, managing cybersecurity within the supply chain and vulnerability disclosure. Version 1.1 is still compatible with version 1.0, so the changes to the framework arent earth shattering. Theyre largely refinements based on feedback from the community.
With the number of updates that are being released to the Framework in recent years, the NIST has decided to host a Cybersecurity Risk Management Conference in early November 2018, in Baltimore, Maryland. The NIST website explains that this conference aims to share and explore best practices and receive and discuss stakeholder input on key cybersecurity and privacy risk management topics. The conference will focus on three main tracks: executive risk governance and administration, risk management programs, and operations.
Lawmakers are also becoming more active in increasing recognition towards the framework to build secure IT infrastructures. Just in the past year, the following key bills have been drafted or passed in the U.S. House and Senate:
- H.R. 1562: SAFE Act (House – Drafted)
- H.R. 1981: Cyber Security Education and Federal Workforce Enhancement Act (House – Drafted)
- S. 1656: Medical Device Cybersecurity Act of 2017 (Senate- Drafted)
- S. 1691: Internet of Things (IoT) Cybersecurity Improvement Act of 2017 (Senate – Drafted)
- H.R. 2105: NIST Small Business Cybersecurity Act (House Passed)
- S. 770 Making Available Information Now to Strengthen Trust and Resilience and Enhance Enterprise Technology (MAIN STREET) Cybersecurity Act (Senate Passed)
These NIST standards bills are a tremendous step towards a brighter future for public and private agencies to achieve the highest grade of cybersecurity preparedness possible. The impact of the Framework is evident in the widespread adoption of the framework by organizations across the United States and globally to countries around the world.
Closing Thoughts
Cybersecurity violations can cause substantial financial losses, damage reputation, or cause outages that may permanently damage a company’s market position. An astonishing 84% of organizations have at least one security framework in place currently which is remarkable. As companies pivot toward a digital business model, exponentially more data will be generated and shared among organizations, partners and customers. A must-have requirement moving forward will be the ability to maintain a current understanding of the cyber threat environment. This can be done through the implementation of the NIST CSF. As cyber threats continue to multiply, it is paramount that your organization implement an effective cybersecurity program that helps to protect you and your clients against threat while also propelling transformation.