There is no “one size fits all” cyber security programme – which is why Ascentor uses a mix of frameworks to assess risks and recommend and measure the effectiveness of controls. The internationally recognised and respected US National Institute for Standards and Technology Cybersecurity Framework (NIST framework) is one of the most popular, with nearly 50% of US organisations estimated to be using it by 2020 and a strong international following.
Established in 2014, the NIST framework has recently undergone an update. We look at why you should use it, what it covers and give a brief summary of the main changes in the 1.1 update.
The background to the NIST framework
The framework was designed to give organisations a structure for assessing and improving their ability to prevent, detect and respond to cyber incidents. Its primary focus was on US critical infrastructure – services such as the national electric power grid, banking, communications and transportation systems.
Originally a voluntary framework, US organisations could adopt it as they saw fit – it became mandatory for all federal agencies (effectively the US public sector) in 2017. It now has a global network of users that meet and discuss usage, including organisations in the UK.
Why use the NIST framework in the UK?
The application to critical infrastructure was one of the reasons Ascentor became interested in the NIST framework. It is equally applicable to UK-based organisations facing potentially catastrophic cyber threats to their operational technology (OT).
Recent research from the Ponemon Institute (as reported by Computer Weekly) shows there is real concern amongst such operators. Cyber attacks aimed at critical infrastructure are typically conducted by well-funded, highly capable state cyber criminals – and 60% of respondents describe themselves as “most worried” about an attack.
A recent example of this kind of activity is demonstrated by the cyber attacks on Wiltshire Council in the UK, shortly after the Novichock poisonings in March 2018. The Council confirmed that the number of attacks on their system increased tenfold and GCHQ said that 90% of these came from outside of the UK. What’s more, the IT systems of Wiltshire Police also came under attack because they use the computer resources of the Council.
According to GCHQ, these cyber attacks could have had two goals: either to significantly slow down the work of the local authority or to covertly penetrate domestic resources, especially police information.
The benefits of the NIST framework
The framework defines the requirements for a cyber security programme and provides a structure to support implementation. The approach has several benefits:
· Being risk-focused, rather than simply a list of things that “must be complied with”, it can be tailored to the business requirements of each organisation, within the context of existing information security provision.
· It is aligned with existing information security approaches, with extensive cross-referencing to ISO 27001, COBIT, IEC 62443 and the CIS Critical Security Controls (CSC), thus reducing duplication.
· The tiered approach to implementation can be tailored to the requirements of each organisation.
· A series of steps to create, implement and maintain a cyber security strategy provide clear guidance and reduce effort.
The NIST framework can be viewed as a “how to” manual that outlines a strategy to understand how effective cyber security can be delivered for any organisation.
Exploring the NIST framework
There are three elements to the framework:
1. The Framework Core is a set of activities and desired outcomes that are cross-referenced to applicable standards and guidelines. The framework core is based on five “Functions”: Identify, Protect, Detect, Respond and Recover. Within each function the framework core identifies Categories and Subcategories – these are cross-referenced to existing standards, guidelines and practices.
NIST: Core Function Objectives
2. The Framework Implementation Tiers describe how an organisations risk management practices exhibit the characteristics described in the framework (for example, risk and threat aware, repeatable and adaptive). Four tiers are defined, and these can be used to measure progress or establish targets that are tailored for the organisation.
3. A Framework Profile describes the outcomes that an organisation is seeking, based on the Framework Categories and Subcategories. A Profile is, therefore, an organisation-specific selection of standards, guidelines and practices that can be used to measure current status, plan a desired end-state and support the activities required to transition between the two. It supports risk-based prioritisation of changes, allowing an organisation to make informed choices to deliver an appropriate level of cyber resilience.
The framework strongly emphasises the use of a risk-based approach, although it does not advocate any single risk-assessment methodology; it is compatible with ISO 31000 and ISO 27005.
NIST Framework Version 1.1 – the major changes
In April 2018, NIST released version 1.1 of the Framework for Improving Critical Infrastructure Cybersecurity. It is still compatible with version 1.0 so the changes aren’t huge. They mainly include updates on how to perform self-assessments, additional detail on supply chain risk management and guidance on external communication and how to interact with supply chain stakeholders.
In a little more detail
- Self-assessments
Self-assessment is a key start point for any organisation in understanding its baseline cyber security provision. It shows the situation as it is, enabling the organisation to formulate a plan for improvement. Version 1.0 didn’t make it that clear how to measure the current state of cyber security, but the new version focuses more on self-assessment. Section 4, which used to be called “Measuring and Demonstrating Cybersecurity” is now titled “Self-Assessing Cybersecurity Risk with the Framework.”
- Supply chain risk management
Cyber attacks are increasingly focused on the supply chain and are getting more prevalent and dangerous. Weak links in the supply chain can open up access to other organisations in the chain so due diligence around cyber security is important. So, it is good to see that version 1.1 puts a lot more focus on the supply chain. There’s guidance on managing risks in the supply chain through third-party assessments, targeted security controls and holding suppliers accountable.
This is an area where Ascentor has significant experience within HM Government and the civil nuclear industry. Indeed, these organisations have to meet a minimum subset of the NIST framework.
- Online learning and testimonials
NIST has launched a range of online learning modules and made available success stories that describe how various organisations have used the framework with the lessons learned.
Conclusion
The NIST framework started as a US-based model but its relevance to any country with critical infrastructure soon became apparent. For a sophisticated attacker or nation intent on malicious damage, critical infrastructure makes the perfect target especially those that are still running legacy systems with less security.
Since its launch in 2014, the NIST framework has become highly respected because it’s comprehensive, logical, risk-based and applicable to all organisations. It’s also relatively easy to understand, use and communicate to senior managers.
For further information
If you have found this article interesting, the Ascentor blog regularly carries articles about a range of topical cyber security issues. You might also like to receive our quarterly newsletter. Sign-up details below.
Readers interested in the NIST Cybersecurity Framework will find the following links helpful:
NIST Cybersecurity Framework 1.1 press release
NIST Framework Documents links to Version 1 and 1.1.
Download Ascentor’s White Paper which covers the NIST framework in more depth – Designing & Delivering a Cyber Security Programme
If you’d like to discuss any aspect of cyber security, please get in touch, using the contact details below.
