On April 16 2018, The National Institute of Standards and Technology (NIST) released the widely-referenced Cybersecurity Framework (version 1.1), incorporating input from industry and other stakeholders.
“This update refines, clarifies and enhances Version 1.0," said Matt Barrett, program manager for the Cybersecurity Framework. “It is still flexible to meet an individual organization's business or mission needs, and applies to a wide range of technology environments such as information technology, industrial control systems and the Internet of Things". Later this year, NIST plans to release an updated companion document, the Roadmap for Improving Critical Infrastructure Cybersecurity, which describes key areas of development, alignment and collaboration.
This article will summarize the benefits of using the latest NIST's Cybersecurity Framework within an organization as well as the approach to initiate for its integration. The ROSAS Cybersecurity team is available and can support you in the adoption of the approach advocated by the NIST within your company
Why should my company integrate the latest version of the NIST Cybersecurity Framework?
The Framework will help your company to better understand, manage, and reduce its cybersecurity risks. It will assist in determining which activities are most important to assure critical operations and service delivery. In turn, that will help to prioritize investments and maximize the impact of each franc spent on cybersecurity. By providing you a common language to address cybersecurity risk management, it is especially helpful in communicating inside and outside your organization. That includes improving communications, awareness, and understanding between and among IT, planning, as well as operating units.
However, There are no "silver bullets" when it comes to cybersecurity and protecting an organization. For instance, "Zero-day" attacks exploiting previously unknown software vulnerabilities are especially problematic. However, using the Framework to assess and improve management of cybersecurity risks should put your organization in a much better position to identify, protect, detect, respond to, and recover from an attack, minimizing damage and impact.
How can my company adopt the latest version of the NIST Cybersecurity Framework?
Firstly a Framework Profile must be defined. It represents the cybersecurity outcomes based on business needs that your organization would have selected from the Framework Categories and Subcategories. The Profile can be characterized as the alignment of standards, guidelines, and practices to the Framework Core in a particular implementation scenario. Profiles can be used to identify opportunities for improving cybersecurity posture by comparing a "Current" Profile (the "as is" state) with a "Target" Profile (the "to be" state). To develop a Profile, your organization can review all of the Categories and Subcategories and, based on business drivers and a risk assessment, determine which are most important. They can also add Categories and Subcategories as needed to address the organization's risks.
Does my company have to follow the NIST Cybersecurity Framework or the ISA/IEC 62443?
An important element to take into account is the fact that the NIST Cybersecurity Framework should not replace certifiable approach such as ISA/IEC 62443. Indeed, the NIST CSF is an overarching document that addresses cybersecurity (both IT & OT) for the majority of critical industrial sectors while ISA/IEC 62443 is a set of standards for industrial cybersecurity designed to prevent or mitigate cybersecurity attacks. In other words, The NIST CSF should be used by your organization as a reference to guide and direct you to the appropriate standards (i.e. IEC62443) which describes the detailed information needed to implement a cybersecurity program. Therefore, ISA/IEC 62443 and the NIST CSF truly complement each other.
What can my company do if it has little or no cybersecurity background?
At ROSAS Center Fribourg, we can help you to implement the principles recommended by the last NIST's Cybersecurity framework by defining a systematic methodology tailored to your needs for managing cybersecurity risk over your current processes and potential cybersecurity programs. The process of creating your own Framework Profiles can provide to your organizations with an opportunity to identify areas where existing processes may be strengthened, or where new processes can be implemented.
A first discussion with our Cybersecurity team will allow you to freely evaluate your needs and maybe find new opportunities to improve your long-term business efficiency.
Contact Person: Kilian Marty (firstname.lastname@example.org)