The National Institute of Science and Technology has issued a set of standards and best practices to protect the nation’s critical infrastructure – including information systems and industrial control systems in manufacturing companies – from cyber attacks.
The new guidelines--formally called the “Framework for Improving Critical Infrastructure Cybersecurity”--are designed to combat what NIST said are cyber attacks that “exploit” the increased complexity and inter-connectivity of critical infrastructure systems, placing the nation as well as business at risk.
“Due to the increasing pressures from external and internal threats, organizations responsible for critical infrastructure need to have a consistent and iterative approach to identifying, assessing, and managing cybersecurity risk,” NIST said. “This approach is necessary regardless of an organization’s size, threat exposure, or cybersecurity sophistication today.”
NIST, a unit of the Commerce Department, published the framework, designated version 1.0, one year after President Obama issued an executive order calling for greater security of critical infrastructure. The use of the framework by organizations is voluntary.
The framework has three parts:
- The Framework Core: Defined as a set of cybersecurity activities, desired outcomes, and references that is critical across infrastructure sectors. There are five functions, which NIST said provide a strategic view of the lifecycle of the management of cybersecurity risk, in the core. They are: identify, protect, detect, respond, and recover.
- Framework Implementation Tiers: These provide context on how an organization views cybersecurity risk and processes in place to manage that risk. NIST said the tiers, which range from “partial” to “adaptive”, span from informal, reactive responses to cyber threats to responses that are agile and well informed about risk.
- A Framework Profile: This represents the outcomes, based on business needs, that an organization selects from Framework categories. The profiles can be used to identify ways that an organization can improve cybersecurity measures by comparing a “current” profile to a “target” profile.
NIST also brought out a roadmap that provides a path for improved future versions of the Framework developed in cooperation with industry and other government agencies. This could include transferring governance of the framework to a non-government organization, NIST said.
For the full report on the Framework, go to http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf
Written by David Brousell
Global Vice President, General Manager and Editorial Director of the Manufacturing Leadership Council