Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/14/2014
11:10 AM
Dave Frymier
Dave Frymier
Commentary
100%
0%

'Baby Teeth' In Infrastructure Cyber Security Framework

NIST's modest effort to improve lax security around IT infrastructure in airports, utilities, and other critical areas now heads to Congress. Don't hold your breath.

The recent release of the Framework for Improving Critical Infrastructure Cybersecurity by the National Institute of Standards and Technology has generated some debate on the actual effect this document will have on improving cyber security. There’s no new technology or technique here -- the framework is a simple taxonomy on which are hung references to existing security frameworks for various critical infrastructure sectors. 

As many have pointed out, compliance is voluntary -- there are no teeth. In fact, it’s not even clear what compliance would be, since the taxonomy points to existing standards that would already be complied with if mandatory. That makes this document a relatively small step in the direction of improved security. But it is potentially an important one. If it can provide a common way of characterizing security programs, it could be a big enabler. Let’s follow the path that led to the creation of this document. 

This framework was mandated by the Obama administration’s Cybersecurity Executive Order in February 2013. That Executive Order itself was a result of the inability of Congress to pass security legislation in the critical infrastructure area, largely due to industry opposition to the increased costs such security programs would cause. That’s why both the executive order and this framework have no teeth -- only Congress can impose new laws and fund enforcement mechanisms. 

There is a general feeling that our infrastructure sectors -- airports, utilities, chemical plants, etc. -- are not properly secured against cyber attack, and that the results of such an event could be catastrophic. Think of something on the order of magnitude of the Northeast United States blackout of 2003, or an attack on airports or airline infrastructure that could result in a significant, and perhaps extended, no-fly situation like Sept. 12-15, 2001. Given the general agreement that there is a problem, why would industry oppose the legislation of mandatory minimum security requirements to prevent things like this from happening and to level the compliance playing field?  

I’m sure the reasons for the resistance include a lack of information on which to base legislation and a legitimate fear that operations will be burdened by new requirements. Worse is the concern that many of these new requirements won’t make any sense for particular industries.

Enter the cyber security framework. The framework provides a simple, common taxonomy to compare and contrast different levels of security programs. One part of the framework describes how to fill out a profile for an organization. For example, if we take a representative number of electric utilities or chemical plants and have them all fill out profiles using the framework taxonomy, then the postures of these companies can be directly compared, and a baseline level of common practice in each industry established.  

This set of baseline profiles established for each of the 16 critical infrastructure sectors, could be used to negotiate and ultimately define, through legislation, the minimum levels of security required on an infrastructure sector-by-sector basis, expressed as a NIST framework profile. This is where the teeth would be -- which brings us all the way back to where we started: the need for Congress to pass legislation that sets minimum levels of information security for critical infrastructure sectors. 

The framework throws a bone at the notion of improving security by discussing gap analysis, but how to do that is well understood and documented elsewhere. The real value here is a means to both justify and compel private sector spending in a commercially competitive environment to fill the security gaps.

For the optimists among us, this legislation might just happen this year. The National Cybersecurity and Critical Infrastructure Protection Act is currently being negotiated in the House and with the DHS.  But in light of past history, I’m not holding my breath.

Dave Frymier works with functional leaders across Unisys as well as vendors and partners to oversee the development and implementation of effective global information security policies, standards, and procedures. As a thought leader and practitioner, he represents the company ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JeremiahT680
50%
50%
JeremiahT680,
User Rank: Apprentice
4/15/2014 | 1:07:22 PM
Netowrk Infrastructure
So i came to the conclusion w/ all of the NSA spying that basically it comes down to this. The internet would fail w/o the NSA... basically they have a vested interest in the internet and have exploited vulnerabilities for years.. let alone if they have contingencies for exposure of vulnerabilities.. Its like this... they created it and will always have control of it.. The internet was not created for your amusement.. it was created to transmit secure classified data efficiently is all im saying.. they have spied will spy and probably never quit spying.. thats not opinion... that is fact.. I am totally against them spying on civiliian communications but its nothing new if you look at history..
Frymier
100%
0%
Frymier,
User Rank: Author
4/14/2014 | 7:11:29 PM
Re: Still not enough...
you may be right - the private sector could well lead the way - but remember that a desire to avoid legislation/regualtion is how we got PCI.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/14/2014 | 6:01:31 PM
Re: Still not enough...
If the private sector were leading the way and maintaining the cybersecurity infrastructure of our critical infrastructure, why would we need an NIST framework in the first place? 
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
4/14/2014 | 4:37:07 PM
Re: Still not enough...
Sadly, it will most likely take another incident like a huge blackout -- or worse -- for either the public sector or private sector to take the steps we need to improve the security around our critical infrastructure. But in this political and economic climate, I'm not holding my breathe, either. 
Randy Naramore
100%
0%
Randy Naramore,
User Rank: Ninja
4/14/2014 | 4:08:50 PM
Re: Still not enough...
If securing the infrastructure is going to be done right the private sector will need to lead the charge. The government has too much red-tape to make doing anything quick or right. We need to take the initiative to secure our infrastructure immediately before something really goes wrong.
Paladium
100%
0%
Paladium,
User Rank: Moderator
4/14/2014 | 1:15:14 PM
Still not enough...
The problem is still the complete lack of directive language that has functional meaning.  This NIST document does not contain any directives such as "Thou shalt do X", and its taken them two years or so to reach this point.  The NERC CIP standards are still vague and allows both CI owners/operators and auditors to interpret the meaning of the standards.  FFIEC and GLBA are even worse when it comes to directives.  So as long as CI is treated as a game of politics and budgets, and is left up to personal interpretation by all parties, the risks will continue to grow... until its too late and we have a major incident.  Shame on us!

 
Cybersecurity Industry: It's Time to Stop the Victim Blame Game
Jessica Smith, Senior Vice President, The Crypsis Group,  2/25/2020
5 Ways to Up Your Threat Management Game
Wayne Reynolds, Advisory CISO, Kudelski Security,  2/26/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8741
PUBLISHED: 2020-02-28
A denial of service issue was addressed with improved input validation.
CVE-2020-9399
PUBLISHED: 2020-02-28
The Avast AV parsing engine allows virus-detection bypass via a crafted ZIP archive. This affects versions before 12 definitions 200114-0 of Antivirus Pro, Antivirus Pro Plus, and Antivirus for Linux.
CVE-2020-9442
PUBLISHED: 2020-02-28
OpenVPN Connect 3.1.0.361 on Windows has Insecure Permissions for %PROGRAMDATA%\OpenVPN Connect\drivers\tap\amd64\win10, which allows local users to gain privileges by copying a malicious drvstore.dll there.
CVE-2019-3698
PUBLISHED: 2020-02-28
UNIX Symbolic Link (Symlink) Following vulnerability in the cronjob shipped with nagios of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 11; openSUSE Factory allows local attackers to cause cause DoS or potentially escalate privileges by winning a race. This issue affects: SUSE Linux...
CVE-2020-9431
PUBLISHED: 2020-02-27
In Wireshark 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, and 2.6.0 to 2.6.14, the LTE RRC dissector could leak memory. This was addressed in epan/dissectors/packet-lte-rrc.c by adjusting certain append operations.