Categories: Security

NIST has published cybersecurity framework for critical infrastructure

US Government has published cybersecurity framework for critical infrastructure,  a “living document” to improve internal security.

The US Government has issued a cybersecurity framework for critical infrastructure, the goal is to improve IT and SCADA networks deployed in sensitive industries such as energy, water and financial services.

The NIST announced the Framework for Improving Critical Infrastructure Security, a document that proposed cybersecurity standards and practices to build out a security program.

“The national and economic security of the United States depends on the reliable functioning of critical infrastructure. Cybersecurity threats exploit the increased complexity and connectivity of critical infrastructure systems, placing the Nation’s security, economy, and public safety and health at risk. Similar to financial and reputational risk, cybersecurity risk affects a company’s bottom line. It can drive up costs and impact revenue. It can harm an organization’s ability to innovate and to gain and maintain customers.” reported the document.

The framework is the work subsequent the Executive Order 13636 for critical infrastructure stakeholders, it is a joint work between industry and government.

“To better address these risks, the President issued Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” on February 12, 2013, which established that “[i]t is the Policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.” In enacting this policy, the Executive Order calls for the development of a voluntary risk-based Cybersecurity Framework – a set of industry standards and best practices to help organizations manage cybersecurity risks. The resulting Framework, created through collaboration between government and the private sector, uses a common language to address and manage cybersecurity risk in a cost-effective way based on business needs without placing additional regulatory requirements on businesses.” remarks the NIST framework.

The framework is considered a significant work for improving the security of critical infrastructure through the establishment of new cybersecurity programs..

“While I believe today’s Framework marks a turning point, it’s clear that much more work needs to be done to enhance our cybersecurity,” “America’s economic prosperity, national security, and our individual liberties depend on our commitment to securing cyberspace and maintaining an open, interoperable, secure, and reliable Internet.” said President Barack Obama. 

The Framework is a “living document”, this is the intent of the NIST that, though the collaboration between government and private sector, wants to continuously update it, including feedbacks by who apply the suggested practices.

This approach has the goal to create a reactive and proactive environment to mitigate existing threats and to design solutions for critical infrastructure protection.

The framework is organized in three components, each of them reinforces the connection between business drivers and cybersecurity activities.

  • The Framework Core establishes common outcomes, references and activities organizations can use to communicate desired states across an organization. According to the document, the Core has five functions: identify; protect; detect; respond; and recover from an incident, providing a high-level strategic outline for critical infrastructure operators.
  • Framework Implementation Tiers describe an organization’s current practices and helps a security team determine whether current processes are risk aware, repeatable and adaptive enough to current threats.
  • The Framework Profile establishes the desired outcomes as they relate to business needs. The document says the profile is an alignment of standards, guidelines and practices to the Core for particular implementation scenarios.

As highlighted in the past threats to critical infrastructure are increasing in complexity, but it must be also considered that it is quite easy to find online information and tools necessary for an attack, let’s think for example to the simplicity to find on-line SCADA components through the Shodan search engine and necessary exploits to hit the targets.

“Our critical infrastructure continues to be at risk from threats in cyberspace, and our economy is harmed by the theft of our intellectual property,” “Although the threats are serious and they constantly evolve, I believe that if we address them effectively, we can ensure that the Internet remains an engine for economic growth and a platform for the free exchange of ideas.” Obama said.

The framework is available on the NIST website.

The cyberspace is an increasingly dangerous place!

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –  NIST, critical infrastructure)

[adrotate banner=”5″]

[adrotate banner=”13″]

 

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

3 hours ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

17 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

23 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

This website uses cookies.