NIST releases security framework for critical infrastructure

Share this article:
Experiment shows how often hackers want to attack critical infrastructure
On Wednesday, NIST published the 41-page guidance after months of feedback from the community.

In an effort to help critical infrastructure companies stave off cyber attacks, the National Institute of Standards and Technology (NIST) has released a cyber security framework.

On Wednesday, NIST published the 41-page guidance, after months of feedback from the community. The framework supports President Obama's “Improving Critical Infrastructure Cybersecurity” executive order issued in February, and serves as a voluntary framework, designed to complement an enterprise's existing security management program – not replace it.

The framework offers a risk-based management approach and is divided into three parts – the Framework Core, the Framework Profile, and the Framework Implementation Tiers.

Last October, NIST introduced a preliminary version of the framework, which made note of the three-part guidance structure, but changes to the document include additional methodology for protecting the privacy and civil liberties of users.

According to the framework, the added section on privacy "is intended to be a general set of considerations and processes since privacy and civil liberties implications may differ by sector or over time, and organizations may address these considerations and processes with a range of technical implications.”

The framework was intended to serve as a guidepost for a range of industries managing integral processes for the nation, from water treatment facilities and energy companies to the finance and healthcare sectors.

On Thursday, Jeff Greene, senior policy counsel at security firm Symantec, told that the framework takes into consideration the diversity in approach needed for various organizations.

Symantec participated in public meetings to discuss the framework before its release, and also provided feedback on earlier drafts of the guidance. 

“I think overall, the framework is directed so that any organization, regardless of size or sophistication, can use it,” Greene said. "It's a document that is individual to anyone who uses it – It's a tool that lets you make the decision yourself.”

Still, some security experts feel that essential points were overlooked in the finalized version.

On Thursday, Andrew Ginter, vice president of industrial security at Waterfall Security Solutions, an Israel-based industrial control network and critical infrastructure solutions provider, told that the framework lacked guidance on security.

“I look at the executive order and they devoted a whole subsection on privacy...[but] when I talk to [customers], there's a big debate out there on whether safety systems – the ones that keep things from blowing up – should be connected to control networks,” Ginter said.

"[Security and saftey] is one of the big gaps that could have been addressed in paragraph or two, and they don't even touch on it," he said.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Beazley: employee errors root of most data breaches, but malware incidents cost ...

Insurance firm Beazley analyzed more than 1,500 data breaches it serviced between 2013 and 2014.

Apple issues seven updates, fixes more than 40 vulnerabilities in iOS 8, OS 10.9.5

Apple issues seven updates, fixes more than 40 ...

In one of its infrequent "Update Surprisedays," Apple plugged holes, boosted security and added features.

Canadian telecom co. Telus unveils first transparency report

The company received more than 100,000 government requests for customer data last year.