In an effort to help critical infrastructure companies stave off cyber attacks, the National Institute of Standards and Technology (NIST) has released a cyber security framework.
On Wednesday, NIST published the 41-page guidance, after months of feedback from the community. The framework supports President Obama's “Improving Critical Infrastructure Cybersecurity” executive order issued in February, and serves as a voluntary framework, designed to complement an enterprise's existing security management program – not replace it.
The framework offers a risk-based management approach and is divided into three parts – the Framework Core, the Framework Profile, and the Framework Implementation Tiers.
Last October, NIST introduced a preliminary version of the framework, which made note of the three-part guidance structure, but changes to the document include additional methodology for protecting the privacy and civil liberties of users.
According to the framework, the added section on privacy "is intended to be a general set of considerations and processes since privacy and civil liberties implications may differ by sector or over time, and organizations may address these considerations and processes with a range of technical implications.”
The framework was intended to serve as a guidepost for a range of industries managing integral processes for the nation, from water treatment facilities and energy companies to the finance and healthcare sectors.
On Thursday, Jeff Greene, senior policy counsel at security firm Symantec, told SCMagazine.com that the framework takes into consideration the diversity in approach needed for various organizations.
Symantec participated in public meetings to discuss the framework before its release, and also provided feedback on earlier drafts of the guidance.
“I think overall, the framework is directed so that any organization, regardless of size or sophistication, can use it,” Greene said. "It's a document that is individual to anyone who uses it – It's a tool that lets you make the decision yourself.”
Still, some security experts feel that essential points were overlooked in the finalized version.
On Thursday, Andrew Ginter, vice president of industrial security at Waterfall Security Solutions, an Israel-based industrial control network and critical infrastructure solutions provider, told SCMagazine.com that the framework lacked guidance on security.
“I look at the executive order and they devoted a whole subsection on privacy...[but] when I talk to [customers], there's a big debate out there on whether safety systems – the ones that keep things from blowing up – should be connected to control networks,” Ginter said.
"[Security and saftey] is one of the big gaps that could have been addressed in paragraph or two, and they don't even touch on it," he said.
