We discussed an overview of NIST’s draft cybersecurity framework (CSF) the other day and did hear of few people grumble about it here and there. Here’s one example … a blog post from Langner.com that notes the current version’s fundamental flaw is that it doesn’t lead to predictable results. The two major factors leading to this issue include the CSF’s dependence on risk and implementation of capability maturity levels. In the end they recommend creating a framework that mimics their Robust ICS Planning and Evaluation (RIPE) model.
Last week NIST published a draft of the US government’s Cyber Security Framework (CSF). If the CSF was a recipe that was used by three different chefs, one of them could end up with fish soup, the next with apple pie, and the third with nothing but a messy kitchen. In less metaphorical words, a fundamental problem of the CSF is that it is not a method that, if applied properly, would lead to predictable results. The CSF is just another take on how to approach cyber risk in a way that is somehow aligned with NIST-800, ISA-99/IEC-62443, NERC CIP, ISO/IEC 27001, ES-C2M2, and COBIT. However, application of the CSF has no predictable effect on empirical system properties and measurable cyber security assurance.
There are two major reasons for this. The first is the reliance on the concept of risk, which was, oddly enough, mandated by Presidential Executive Order 13636. Regardless of the popularity of risk parlance, risk-based approaches in ICS security lack empirical foundation, and the outcome of a risk assessment can be stretched in any direction. For an in-depth discussion see the Bound To Fail paper by Ralph Langner and Perry Pederson.
What do you think of NIST’s most recent draft of the cyber security framework? Let us know in the comments below. Today’s post pic is from DavinciDilemma.com. See ya!