NIST moves forward on White House cybersecurity order


By: SGN Staff


Quick Take: Along with so many others, I've been encouraging utilities to take cybersecurity more seriously. So when I heard that NEMA's Paul Molitor was attending an important NIST cybersecurity workshop, I asked him if he would share the outcomes.


In a nutshell: You have one last chance to comment on the NIST security framework before it is published. After that, utilities will be "encouraged" to follow its guidance. Although compliance will not be mandatory, I believe it will quickly become a CYB (cover your backside) necessity. Can you imagine the uproar if a utility suffers a major cybersecurity event and it is discovered that it ignored NIST guidelines that could have prevented the situation?  - By Jesse Berst


By Paul Molitor


On February 12, 2013, President Obama signed Executive Order 13636, which deals with "Improving Critical Infrastructure Cybersecurity.”  According to the order: "The Secretary of Commerce shall direct the Director of the National Institute of Standards and Technology (the ‘‘Director’’) to lead the development of a framework to reduce cyber risks to critical infrastructure (the ‘‘Cybersecurity Framework’’).” 


On September 13, 2013, NIST concluded the last of four Cybersecurity Framework Workshops leading to the release of a document designed to meet the agency’s obligation under the order. The August 28, 2013 discussion draft of the framework used during the workshop is composed of three parts:

  1. The Framework Core is a compilation of cybersecurity activities and references that are common across critical infrastructure sectors;
  2. Framework Implementation Tiers ("Tiers”) demonstrate the implementation of the Framework Core Functions and Categories and indicate how cybersecurity risk is managed; and
  3. A Framework Profile ("Profile”) conveys how an organization manages cybersecurity risk in each of the Framework Core Functions and Categories by identifying the Subcategories that are implemented or planned for implementation.

Because it is nearing completion, discussion of the framework’s content was somewhat limited to observations of shortfalls in some of the discussion draft's language.  The majority of the conversation centered on asking attendees to describe what additional guidance or information would be necessary to start assessing their current cybersecurity status through the prism of the Framework Core’s design.