NIST releases security framework for critical infrastructure

Share this article:
Experiment shows how often hackers want to attack critical infrastructure
On Wednesday, NIST published the 41-page guidance after months of feedback from the community.

In an effort to help critical infrastructure companies stave off cyber attacks, the National Institute of Standards and Technology (NIST) has released a cyber security framework.

On Wednesday, NIST published the 41-page guidance, after months of feedback from the community. The framework supports President Obama's “Improving Critical Infrastructure Cybersecurity” executive order issued in February, and serves as a voluntary framework, designed to complement an enterprise's existing security management program – not replace it.

The framework offers a risk-based management approach and is divided into three parts – the Framework Core, the Framework Profile, and the Framework Implementation Tiers.

Last October, NIST introduced a preliminary version of the framework, which made note of the three-part guidance structure, but changes to the document include additional methodology for protecting the privacy and civil liberties of users.

According to the framework, the added section on privacy "is intended to be a general set of considerations and processes since privacy and civil liberties implications may differ by sector or over time, and organizations may address these considerations and processes with a range of technical implications.”

The framework was intended to serve as a guidepost for a range of industries managing integral processes for the nation, from water treatment facilities and energy companies to the finance and healthcare sectors.

On Thursday, Jeff Greene, senior policy counsel at security firm Symantec, told SCMagazine.com that the framework takes into consideration the diversity in approach needed for various organizations.

Symantec participated in public meetings to discuss the framework before its release, and also provided feedback on earlier drafts of the guidance. 

“I think overall, the framework is directed so that any organization, regardless of size or sophistication, can use it,” Greene said. "It's a document that is individual to anyone who uses it – It's a tool that lets you make the decision yourself.”

Still, some security experts feel that essential points were overlooked in the finalized version.

On Thursday, Andrew Ginter, vice president of industrial security at Waterfall Security Solutions, an Israel-based industrial control network and critical infrastructure solutions provider, told SCMagazine.com that the framework lacked guidance on security.

“I look at the executive order and they devoted a whole subsection on privacy...[but] when I talk to [customers], there's a big debate out there on whether safety systems – the ones that keep things from blowing up – should be connected to control networks,” Ginter said.

"[Security and saftey] is one of the big gaps that could have been addressed in paragraph or two, and they don't even touch on it," he said.

 
Share this article:

Sign up to our newsletters

More in News

POS malware risks millions of payment cards for Michaels, Aaron Brothers shoppers

POS malware risks millions of payment cards for ...

An investigation dating back to January has finally confirmed that malware on point-of-sale systems may have compromised payment card data for millions of Michaels Stores and Aaron Brothers customers.

Phishing scam targets Michigan public schools

Unknown attackers used the finance director's email account to request wire transfers from the school district's accounting department.

Contempt order against Lavabit still stands, appeals court rules

Contempt order against Lavabit still stands, appeals court ...

A federal appeals court backed an earlier ruling penalizing the email service.