Vulnerabilities / Threats
4/14/2014
11:10 AM
Dave Frymier
Dave Frymier
Commentary
Connect Directly
RSS
E-Mail
100%
0%

'Baby Teeth' In Infrastructure Cyber Security Framework

NIST's modest effort to improve lax security around IT infrastructure in airports, utilities, and other critical areas now heads to Congress. Don't hold your breath.

The recent release of the Framework for Improving Critical Infrastructure Cybersecurity by the National Institute of Standards and Technology has generated some debate on the actual effect this document will have on improving cyber security. There’s no new technology or technique here -- the framework is a simple taxonomy on which are hung references to existing security frameworks for various critical infrastructure sectors. 

As many have pointed out, compliance is voluntary -- there are no teeth. In fact, it’s not even clear what compliance would be, since the taxonomy points to existing standards that would already be complied with if mandatory. That makes this document a relatively small step in the direction of improved security. But it is potentially an important one. If it can provide a common way of characterizing security programs, it could be a big enabler. Let’s follow the path that led to the creation of this document. 

This framework was mandated by the Obama administration’s Cybersecurity Executive Order in February 2013. That Executive Order itself was a result of the inability of Congress to pass security legislation in the critical infrastructure area, largely due to industry opposition to the increased costs such security programs would cause. That’s why both the executive order and this framework have no teeth -- only Congress can impose new laws and fund enforcement mechanisms. 

There is a general feeling that our infrastructure sectors -- airports, utilities, chemical plants, etc. -- are not properly secured against cyber attack, and that the results of such an event could be catastrophic. Think of something on the order of magnitude of the Northeast United States blackout of 2003, or an attack on airports or airline infrastructure that could result in a significant, and perhaps extended, no-fly situation like Sept. 12-15, 2001. Given the general agreement that there is a problem, why would industry oppose the legislation of mandatory minimum security requirements to prevent things like this from happening and to level the compliance playing field?  

I’m sure the reasons for the resistance include a lack of information on which to base legislation and a legitimate fear that operations will be burdened by new requirements. Worse is the concern that many of these new requirements won’t make any sense for particular industries.

Enter the cyber security framework. The framework provides a simple, common taxonomy to compare and contrast different levels of security programs. One part of the framework describes how to fill out a profile for an organization. For example, if we take a representative number of electric utilities or chemical plants and have them all fill out profiles using the framework taxonomy, then the postures of these companies can be directly compared, and a baseline level of common practice in each industry established.  

This set of baseline profiles established for each of the 16 critical infrastructure sectors, could be used to negotiate and ultimately define, through legislation, the minimum levels of security required on an infrastructure sector-by-sector basis, expressed as a NIST framework profile. This is where the teeth would be -- which brings us all the way back to where we started: the need for Congress to pass legislation that sets minimum levels of information security for critical infrastructure sectors. 

The framework throws a bone at the notion of improving security by discussing gap analysis, but how to do that is well understood and documented elsewhere. The real value here is a means to both justify and compel private sector spending in a commercially competitive environment to fill the security gaps.

For the optimists among us, this legislation might just happen this year. The National Cybersecurity and Critical Infrastructure Protection Act is currently being negotiated in the House and with the DHS.  But in light of past history, I’m not holding my breath.

Dave Frymier works with functional leaders across Unisys as well as vendors and partners to oversee the development and implementation of effective global information security policies, standards, and procedures. As a thought leader and practitioner, he represents the company ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JeremiahT680
50%
50%
JeremiahT680,
User Rank: Apprentice
4/15/2014 | 1:07:22 PM
Netowrk Infrastructure
So i came to the conclusion w/ all of the NSA spying that basically it comes down to this. The internet would fail w/o the NSA... basically they have a vested interest in the internet and have exploited vulnerabilities for years.. let alone if they have contingencies for exposure of vulnerabilities.. Its like this... they created it and will always have control of it.. The internet was not created for your amusement.. it was created to transmit secure classified data efficiently is all im saying.. they have spied will spy and probably never quit spying.. thats not opinion... that is fact.. I am totally against them spying on civiliian communications but its nothing new if you look at history..
Frymier
100%
0%
Frymier,
User Rank: Author
4/14/2014 | 7:11:29 PM
Re: Still not enough...
you may be right - the private sector could well lead the way - but remember that a desire to avoid legislation/regualtion is how we got PCI.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/14/2014 | 6:01:31 PM
Re: Still not enough...
If the private sector were leading the way and maintaining the cybersecurity infrastructure of our critical infrastructure, why would we need an NIST framework in the first place? 
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
4/14/2014 | 4:37:07 PM
Re: Still not enough...
Sadly, it will most likely take another incident like a huge blackout -- or worse -- for either the public sector or private sector to take the steps we need to improve the security around our critical infrastructure. But in this political and economic climate, I'm not holding my breathe, either. 
Randy Naramore
100%
0%
Randy Naramore,
User Rank: Ninja
4/14/2014 | 4:08:50 PM
Re: Still not enough...
If securing the infrastructure is going to be done right the private sector will need to lead the charge. The government has too much red-tape to make doing anything quick or right. We need to take the initiative to secure our infrastructure immediately before something really goes wrong.
Paladium
100%
0%
Paladium,
User Rank: Moderator
4/14/2014 | 1:15:14 PM
Still not enough...
The problem is still the complete lack of directive language that has functional meaning.  This NIST document does not contain any directives such as "Thou shalt do X", and its taken them two years or so to reach this point.  The NERC CIP standards are still vague and allows both CI owners/operators and auditors to interpret the meaning of the standards.  FFIEC and GLBA are even worse when it comes to directives.  So as long as CI is treated as a game of politics and budgets, and is left up to personal interpretation by all parties, the risks will continue to grow... until its too late and we have a major incident.  Shame on us!

 
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-3304
Published: 2014-10-30
Directory traversal vulnerability in Dell EqualLogic PS4000 with firmware 6.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the default URI.

CVE-2013-7409
Published: 2014-10-30
Buffer overflow in ALLPlayer 5.6.2 through 5.8.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in a .m3u (playlist) file.

CVE-2014-3446
Published: 2014-10-30
SQL injection vulnerability in wcm/system/pages/admin/getnode.aspx in BSS Continuity CMS 4.2.22640.0 allows remote attackers to execute arbitrary SQL commands via the nodeid parameter.

CVE-2014-3584
Published: 2014-10-30
The SamlHeaderInHandler in Apache CXF before 2.6.11, 2.7.x before 2.7.8, and 3.0.x before 3.0.1 allows remote attackers to cause a denial of service (infinite loop) via a crafted SAML token in the authorization header of a request to a JAX-RS service.

CVE-2014-3623
Published: 2014-10-30
Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vect...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.