NIST releases security framework for critical infrastructure

Share this article:
Experiment shows how often hackers want to attack critical infrastructure
On Wednesday, NIST published the 41-page guidance after months of feedback from the community.

In an effort to help critical infrastructure companies stave off cyber attacks, the National Institute of Standards and Technology (NIST) has released a cyber security framework.

On Wednesday, NIST published the 41-page guidance, after months of feedback from the community. The framework supports President Obama's “Improving Critical Infrastructure Cybersecurity” executive order issued in February, and serves as a voluntary framework, designed to complement an enterprise's existing security management program – not replace it.

The framework offers a risk-based management approach and is divided into three parts – the Framework Core, the Framework Profile, and the Framework Implementation Tiers.

Last October, NIST introduced a preliminary version of the framework, which made note of the three-part guidance structure, but changes to the document include additional methodology for protecting the privacy and civil liberties of users.

According to the framework, the added section on privacy "is intended to be a general set of considerations and processes since privacy and civil liberties implications may differ by sector or over time, and organizations may address these considerations and processes with a range of technical implications.”

The framework was intended to serve as a guidepost for a range of industries managing integral processes for the nation, from water treatment facilities and energy companies to the finance and healthcare sectors.

On Thursday, Jeff Greene, senior policy counsel at security firm Symantec, told that the framework takes into consideration the diversity in approach needed for various organizations.

Symantec participated in public meetings to discuss the framework before its release, and also provided feedback on earlier drafts of the guidance. 

“I think overall, the framework is directed so that any organization, regardless of size or sophistication, can use it,” Greene said. "It's a document that is individual to anyone who uses it – It's a tool that lets you make the decision yourself.”

Still, some security experts feel that essential points were overlooked in the finalized version.

On Thursday, Andrew Ginter, vice president of industrial security at Waterfall Security Solutions, an Israel-based industrial control network and critical infrastructure solutions provider, told that the framework lacked guidance on security.

“I look at the executive order and they devoted a whole subsection on privacy...[but] when I talk to [customers], there's a big debate out there on whether safety systems – the ones that keep things from blowing up – should be connected to control networks,” Ginter said.

"[Security and saftey] is one of the big gaps that could have been addressed in paragraph or two, and they don't even touch on it," he said.

Share this article:

Sign up to our newsletters

More in News

Firefox 31 plugs critical memory safety bugs

In total, Firefox 31 brings 11 patches for several flaws affecting the web browser.

Android/Simplocker adds tricks, including ransom message in English

Android/Simplocker ransomware now encrypts archive files, asks to be installed as a Device Administrator, and delivers an English-language ransom message.

Wall Street Journal website vulnerable to SQL injection, gets hacked

The Wall Street Journal confirmed on Tuesday that an outside party exploited a vulnerability and hacked into its new graphics systems.