Vulnerabilities / Threats
4/14/2014
11:10 AM
Dave Frymier
Dave Frymier
Commentary
100%
0%

'Baby Teeth' In Infrastructure Cyber Security Framework

NIST's modest effort to improve lax security around IT infrastructure in airports, utilities, and other critical areas now heads to Congress. Don't hold your breath.

The recent release of the Framework for Improving Critical Infrastructure Cybersecurity by the National Institute of Standards and Technology has generated some debate on the actual effect this document will have on improving cyber security. There’s no new technology or technique here -- the framework is a simple taxonomy on which are hung references to existing security frameworks for various critical infrastructure sectors. 

As many have pointed out, compliance is voluntary -- there are no teeth. In fact, it’s not even clear what compliance would be, since the taxonomy points to existing standards that would already be complied with if mandatory. That makes this document a relatively small step in the direction of improved security. But it is potentially an important one. If it can provide a common way of characterizing security programs, it could be a big enabler. Let’s follow the path that led to the creation of this document. 

This framework was mandated by the Obama administration’s Cybersecurity Executive Order in February 2013. That Executive Order itself was a result of the inability of Congress to pass security legislation in the critical infrastructure area, largely due to industry opposition to the increased costs such security programs would cause. That’s why both the executive order and this framework have no teeth -- only Congress can impose new laws and fund enforcement mechanisms. 

There is a general feeling that our infrastructure sectors -- airports, utilities, chemical plants, etc. -- are not properly secured against cyber attack, and that the results of such an event could be catastrophic. Think of something on the order of magnitude of the Northeast United States blackout of 2003, or an attack on airports or airline infrastructure that could result in a significant, and perhaps extended, no-fly situation like Sept. 12-15, 2001. Given the general agreement that there is a problem, why would industry oppose the legislation of mandatory minimum security requirements to prevent things like this from happening and to level the compliance playing field?  

I’m sure the reasons for the resistance include a lack of information on which to base legislation and a legitimate fear that operations will be burdened by new requirements. Worse is the concern that many of these new requirements won’t make any sense for particular industries.

Enter the cyber security framework. The framework provides a simple, common taxonomy to compare and contrast different levels of security programs. One part of the framework describes how to fill out a profile for an organization. For example, if we take a representative number of electric utilities or chemical plants and have them all fill out profiles using the framework taxonomy, then the postures of these companies can be directly compared, and a baseline level of common practice in each industry established.  

This set of baseline profiles established for each of the 16 critical infrastructure sectors, could be used to negotiate and ultimately define, through legislation, the minimum levels of security required on an infrastructure sector-by-sector basis, expressed as a NIST framework profile. This is where the teeth would be -- which brings us all the way back to where we started: the need for Congress to pass legislation that sets minimum levels of information security for critical infrastructure sectors. 

The framework throws a bone at the notion of improving security by discussing gap analysis, but how to do that is well understood and documented elsewhere. The real value here is a means to both justify and compel private sector spending in a commercially competitive environment to fill the security gaps.

For the optimists among us, this legislation might just happen this year. The National Cybersecurity and Critical Infrastructure Protection Act is currently being negotiated in the House and with the DHS.  But in light of past history, I’m not holding my breath.

Dave Frymier works with functional leaders across Unisys as well as vendors and partners to oversee the development and implementation of effective global information security policies, standards, and procedures. As a thought leader and practitioner, he represents the company ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JeremiahT680
50%
50%
JeremiahT680,
User Rank: Apprentice
4/15/2014 | 1:07:22 PM
Netowrk Infrastructure
So i came to the conclusion w/ all of the NSA spying that basically it comes down to this. The internet would fail w/o the NSA... basically they have a vested interest in the internet and have exploited vulnerabilities for years.. let alone if they have contingencies for exposure of vulnerabilities.. Its like this... they created it and will always have control of it.. The internet was not created for your amusement.. it was created to transmit secure classified data efficiently is all im saying.. they have spied will spy and probably never quit spying.. thats not opinion... that is fact.. I am totally against them spying on civiliian communications but its nothing new if you look at history..
Frymier
100%
0%
Frymier,
User Rank: Author
4/14/2014 | 7:11:29 PM
Re: Still not enough...
you may be right - the private sector could well lead the way - but remember that a desire to avoid legislation/regualtion is how we got PCI.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/14/2014 | 6:01:31 PM
Re: Still not enough...
If the private sector were leading the way and maintaining the cybersecurity infrastructure of our critical infrastructure, why would we need an NIST framework in the first place? 
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
4/14/2014 | 4:37:07 PM
Re: Still not enough...
Sadly, it will most likely take another incident like a huge blackout -- or worse -- for either the public sector or private sector to take the steps we need to improve the security around our critical infrastructure. But in this political and economic climate, I'm not holding my breathe, either. 
Randy Naramore
100%
0%
Randy Naramore,
User Rank: Ninja
4/14/2014 | 4:08:50 PM
Re: Still not enough...
If securing the infrastructure is going to be done right the private sector will need to lead the charge. The government has too much red-tape to make doing anything quick or right. We need to take the initiative to secure our infrastructure immediately before something really goes wrong.
Paladium
100%
0%
Paladium,
User Rank: Moderator
4/14/2014 | 1:15:14 PM
Still not enough...
The problem is still the complete lack of directive language that has functional meaning.  This NIST document does not contain any directives such as "Thou shalt do X", and its taken them two years or so to reach this point.  The NERC CIP standards are still vague and allows both CI owners/operators and auditors to interpret the meaning of the standards.  FFIEC and GLBA are even worse when it comes to directives.  So as long as CI is treated as a game of politics and budgets, and is left up to personal interpretation by all parties, the risks will continue to grow... until its too late and we have a major incident.  Shame on us!

 
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5208
Published: 2014-12-22
BKBCopyD.exe in the Batch Management Packages in Yokogawa CENTUM CS 3000 through R3.09.50 and CENTUM VP through R4.03.00 and R5.x through R5.04.00, and Exaopc through R3.72.10, does not require authentication, which allows remote attackers to read arbitrary files via a RETR operation, write to arbit...

CVE-2014-7286
Published: 2014-12-22
Buffer overflow in AClient in Symantec Deployment Solution 6.9 and earlier on Windows XP and Server 2003 allows local users to gain privileges via unspecified vectors.

CVE-2014-8015
Published: 2014-12-22
The Sponsor Portal in Cisco Identity Services Engine (ISE) allows remote authenticated users to obtain access to an arbitrary sponsor's guest account via a modified HTTP request, aka Bug ID CSCur64400.

CVE-2014-8017
Published: 2014-12-22
The periodic-backup feature in Cisco Identity Services Engine (ISE) allows remote attackers to discover backup-encryption passwords via a crafted request that triggers inclusion of a password in a reply, aka Bug ID CSCur41673.

CVE-2014-8018
Published: 2014-12-22
Multiple cross-site scripting (XSS) vulnerabilities in Business Voice Services Manager (BVSM) pages in the Application Software in Cisco Unified Communications Domain Manager 8 allow remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug IDs CSCur19651, CSCur18555, CSCur1...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.