Saturday, February 1, 2014

Information Technology is a Moving Target

NIST's finalized cybersecurity framework receives mixed reviews

By Taylor Armerding
January 31, 2014 — CSO — There has never been a successful catastrophic cyberattack on North America's critical infrastructure (CI) — yet.

[Adoption, privacy biggest topics as NIST Cybersecurity Framework nears February deadline]

The National Institute of Standards and Technology's (NIST) Cybersecurity Framework 1.0, to be issued Feb. 13 in response to an executive order from President Obama, aims to keep it that way.

But there is considerable debate within the security community about whether it will improve the protection of CI, which includes transportation, energy, food, water, financial services and other systems.

Some, like Andrew Ginter, vice president of industrial security at the Canadian firm Waterfall Security Solutions, contend that it takes a misguided approach to the magnitude and complexity of the threats.

Ginter wrote in a recent blog post that the framework is too complicated for top management and board members of Industrial Control Systems (ICS). Worse, he said, it, "leads senior management to ask the wrong kinds of questions about the security of critical infrastructure sites," by focusing on "actuarial" risk rather than the capabilities of the most sophisticated potential attackers.

The question, he said, should not be, "How many times was the North American power grid taken down by a cyber assault in the last decade, and what did each such incident cost? The answer is, of course, zero."

Instead, he said, it should be, "When our most capable enemies attack us, what is the most likely outcome?"

Joe Weiss, managing partner at Applied Control Solutions, has argued for years that government organizations like NIST and ICS-CERT (Industrial Control Systems Cyber Emergency Response Team) are too focused on "compliance" and not enough on real security.