Guidance on NIST Framework Requirements
Like this Town Hall? Subscribe to our YouTube Channel.
Author:CSC Town Hall
The White House earlier this year announced a framework for the development of cybersecurity standards for our nation's critical infrastructure. The framework provides an opportunity for the owners and operators of this critical infrastructure to work with the public sector in defining the standards that will be applied to improving our cybersecurity. Since the announcement, organizations have been trying to understand the anatomy of the framework and and what changes they need to make to comply.
Experts from MWH, CSC and the Prince William County Service Authority discuss the NIST framework and what guidelines your organizations need to follow.
- Ed Liebig, Partner, Global CTO Cybersecurity Consulting, CSC
- Philip Smith, Vice President and Associate Director, Management Consulting & Technology Team, MWH
- Andy Higginbotham, Senior SCADA Program Manager, Prince William County Service Authority
- Jeff Caruso, Senior Managing Editor, CSC
NIST Framework Requirements
The White House earlier this year announced a framework for the development of cybersecurity standards for our nation's critical infrastructure developed by the National Institute of Standards and Technology (NIST). This gives owners and operators of critical infrastructure a way to work with the public sector to improve infrastructure from cyberattacks.
Ed Liebig, a partner in CSC's global CTO cybersecurity consulting practice, says several frameworks already exist to help public and private companies protect critical infrastructure. "Some are focused on operational systems, some are focused on the business side," Liebig says. "The NIST standard marries these to include the most pertinent standard for securing critical infrastructure from both aspects. This gives companies a roadmap to individual controls that apply best to their situation."
"International Society of Automation (ISA) standards focus on prescriptive actions to take when issues arise," says Andy Higginbotham, senior SCADA program manager for the Prince William County Service Authority. "The NIST framework will help operational people, for example, think about other actions to take. It can point you in the direction of other standards to apply for a particular situation that isn't covered in the ISA standard."
The NIST framework offers succinct steps for evaluating your organization and figuring out where you need controls from a cybersecurity perspective, Liebig says. Companies planning to make improvements should follow a roadmap with steps like these:
- Assemble a strategy that describes the scope of critical systems and assets.
- Decide how secure you need to be based on the nature of your business and your customers.
- Orient the scope of your plan to make sure it's touching the right parts of the organization.
- Perform a current state evaluation. Determine what you're doing today and the security safeguards already in place.
- Perform a gap analysis to compare what you do today with the NIST framework.
- Determine the consequences if an asset or device is compromised or disabled, then consider that impact on operations. This consequence-based risk assessment helps build the business case for security.
- Have a plan that you can step through in a methodical way, considering the interdependencies of each initiative.
- Determine if you can implement your plans in the timeframe you've set or if you need help.
Philip Smith, vice president and associate director at MWH, says education and awareness are critical in helping people understand that security risks don't just come through the network. "WaterISAC recently issued notices about people getting phone calls where someone's trying to gain access to the network or data system. They're asking for a password and saying they're from IT. People need to be trained to respond the right way. Do you hang up on them, or does it end up going to the FBI?" Smith says.
"These frameworks can help you build a business case for what really needs to be done," Smith says. "If you listen to the news, decide you have to do something, then overreact, you'll end up with something that gets in the way of doing business. It's really about helping keep these utilities in business."