NIST releases security framework for critical infrastructure

Share this article:
Experiment shows how often hackers want to attack critical infrastructure
On Wednesday, NIST published the 41-page guidance after months of feedback from the community.

In an effort to help critical infrastructure companies stave off cyber attacks, the National Institute of Standards and Technology (NIST) has released a cyber security framework.

On Wednesday, NIST published the 41-page guidance, after months of feedback from the community. The framework supports President Obama's “Improving Critical Infrastructure Cybersecurity” executive order issued in February, and serves as a voluntary framework, designed to complement an enterprise's existing security management program – not replace it.

The framework offers a risk-based management approach and is divided into three parts – the Framework Core, the Framework Profile, and the Framework Implementation Tiers.

Last October, NIST introduced a preliminary version of the framework, which made note of the three-part guidance structure, but changes to the document include additional methodology for protecting the privacy and civil liberties of users.

According to the framework, the added section on privacy "is intended to be a general set of considerations and processes since privacy and civil liberties implications may differ by sector or over time, and organizations may address these considerations and processes with a range of technical implications.”

The framework was intended to serve as a guidepost for a range of industries managing integral processes for the nation, from water treatment facilities and energy companies to the finance and healthcare sectors.

On Thursday, Jeff Greene, senior policy counsel at security firm Symantec, told that the framework takes into consideration the diversity in approach needed for various organizations.

Symantec participated in public meetings to discuss the framework before its release, and also provided feedback on earlier drafts of the guidance. 

“I think overall, the framework is directed so that any organization, regardless of size or sophistication, can use it,” Greene said. "It's a document that is individual to anyone who uses it – It's a tool that lets you make the decision yourself.”

Still, some security experts feel that essential points were overlooked in the finalized version.

On Thursday, Andrew Ginter, vice president of industrial security at Waterfall Security Solutions, an Israel-based industrial control network and critical infrastructure solutions provider, told that the framework lacked guidance on security.

“I look at the executive order and they devoted a whole subsection on privacy...[but] when I talk to [customers], there's a big debate out there on whether safety systems – the ones that keep things from blowing up – should be connected to control networks,” Ginter said.

"[Security and saftey] is one of the big gaps that could have been addressed in paragraph or two, and they don't even touch on it," he said.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.