Managing Risk: Key Aspects of NIST’s Cybersecurity Framework Updates
By Will McNamara, Director, Black & Veatch Management Consulting, LLC
The National Institute of Standards and Technology (NIST) issued a draft update to its Cybersecurity Framework on 10 January 2017. The Framework, which was first published in 2014, reflects the voluntary guidelines to assist organizations in managing and reducing cybersecurity risk in the nation's critical infrastructure.
Introduction of Metrics and Measures
Perhaps the most important (and most controversial) update is the introduction of cybersecurity measurements and metrics. According to NIST, the importance of measurement and metrics is to correlate cybersecurity with business objectives and to understand and quantify the “cause-and-effect” of specific security activities.
It’s also important to understand the distinction between “metrics” and “measures” as defined in the NIST updates. According to NIST, metrics should be used to “facilitate decision-making and improve performance and accountability” within an organization. By comparison, measures are quantifiable, observable, and objective data that support the metrics used by the organization and are closely aligned with technical controls.
Black & Veatch recently held a webinar discussing how utility leaders can quantify their security and risk posture, using proven asset management practices, to justify security investments and demonstrate improvements. While the webinar was geared to power utility leaders, the information and approach is applicable to water and natural gas utilities.
While these updates can be viewed as a natural extension of the Framework, the inclusion of metrics and measures, for some, resemble steps toward mandating a process through a Framework that has been voluntary up to this point. This gray area between voluntary guidelines and the potential for mandates will likely be the focus of commentary received by NIST during the open period (the deadline to send comments to NIST is 10 April). NIST will hold a public workshop following the comment period. The next proposed update for the Cybersecurity Framework should be published in the fall of 2017.
Managing Supply Chain Risk
The draft update also included new details for managing cyber supply chain risks and introduced a standardized vocabulary for supply chain risk management terms. The standardize vocabulary is intended to help supply chain risk management collaborators coordinate cybersecurity efforts with external third parties.
Managing supply chain risks is critically important as utilities are increasingly dependent upon vendors to complete work. Considering many high-profile breaches within and outside the industry are tracked back to vendors, this must become a high priority for risk mitigation. If vendors are not taking proper protocols within their systems, their equipment should not be allowed on your network.
Value of the NIST Framework
The NIST Framework is built around five “Core Functions” that are intended to help organizations develop an operational culture that addresses enterprise cybersecurity risk. Those Core Functions, defined within the text of the Framework, are:
Each core function includes three-to-six subcategories with definitions of specific activities such as “Risk Assessment,” “Awareness and Training” and “Response Planning.”
Black & Veatch encourages our clients and all utilities with critical physical and cyber assets to take steps to become compliant with the NIST framework, along with other industry standards, as part of a broader risk management program.