Skip to content

Thoughts on the NIST Cybersecurity Framework Workshop

May 30, 2013

Since it was on campus, I attended part of the NIST Cybersecurity Framework Workshop to get a sense of how to develop my mental models project. They reported on some initial findings from the Request for Information (RFI) and had breakout groups to discuss the gaps that needed more information. I attended two of the four breakout sessions – “The Business of Cyber Risk” and “Threat Management”.

A couple things popped out to me based on the discussions:

  1. There are fundamental internal and external communication problems – This was true for the RFI as well as our discussions. We spent time debating the definition of threat vs. vulnerability vs. risk because everyone was using those words differently. It’s hard to have a conversation across sectors without a common language for cybersecurity. In addition, individuals raised questions about how to communicate cybersecurity risks to others within the business, ex. executives.
  2. People desire simplicity – they want the framework to be simple (as well as risk-based, flexible etc.). In talking to some individuals from the Energy Sector, they also spoke of a desire for simpler regulations that were not so onerous for compliance. This reminded me of the notion that simple policy is better policy. Smaller companies just want cybersecurity to be easy – they want the framework to point them to best practices and tell them what to do. For most business, cybersecurity is a distraction that they want to go away. Particularly for the Energy Sector, there is also a desire for certainty so that they can make business decisions without worrying about what next year’s cybersecurity rules will be.
  3. The most useful information-sharing is happening in informal channels – This is because official sources of information, particularly the kind that is published publicly, are not timely and business entities do not trust that they will be protected if they share information. For official information, by the time you are notified of a threat, it is too late to do anything about it. More useful, timely information is coming from peers who have built a trust relationship and share real-time threat information. Some of this is happening within NDA’s in a quid pro quo environment where you can get kicked out for never sharing information (unlike an ISAC). There is a lot of concern about liability if, for example, shared information is wrong. There was a desire to completely separate compliance and information-sharing functions of regulatory agencies – for the Energy Sector, NERC is the regulatory agency and also runs the ES-ISAC. As a result, business entities are hesitant to share information that may implicate them in non-compliance.
  4. Threat information is repetitive – I’m not sure about this – but it seems like this could have implications on attention due to heuristics and biases. Threats that are “over-shared” may seem more or less important than others. If this information is perceived as noise, it might not be considered as carefully? It probably depends on the level of analytics in use (if any). This is also why the informally shared information is more useful – it is generally more relevant, specific, and actionable.
  5. There are perverse incentives – Particularly for the Energy Sector, there are numerous perverse incentives as a result of the compliance-based approach. Utilities delay upgrades to make auditing easier. For example, early cybersecurity regulations were concerned about IP protocols so some utilities avoided upgrading their serial control systems to avoid regulation – even if IP protocols offered needed improvements (ex. improved situational awareness). There is also little incentive to be certified as a black start asset since there are additional costs associated with securing those assets – as a result, the reliability of the system is lower because there are fewer black start designated resources.

I can’t verify the validity of all of these statements – but they were thoughts/stories shared during the workshop that I found particularly interesting.

Advertisements
No comments yet

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: