You may have heard “NIST CSF” thrown around by colleagues or leadership in relation to how security policies and procedures should be set up. The NIST CSF is one of several cybersecurity frameworks (along with CIS 20, ISA/IEC 62443, and NIST 800-53) used in the cybersecurity field to set maturity standards for security.
According to Gartner, the ISO 27001 and the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) will remain the predominant enterprise security frameworks complemented by localized and industry-specific standards and regulations through 2024.
While they are not necessarily driven by regulatory compliance, these cybersecurity frameworks help you understand the inclusive set of security elements to include and how to establish the right target level for each. But what is it, what do you need to know, and what impact does it have for your business?
What does NIST CSF stand for?
NIST CSF is the Cybersecurity Framework (CSF) built by the National Institute of Standards and Technology (NIST), a division of the U.S. Department of Commerce. Previously called the National Bureau of Standards, NIST promotes and maintains measurement standards with active programs to advance innovation and secure industries such as advanced manufacturing, cybersecurity, health bioscience, and more.
Why was the NIST CSF created?
Critical infrastructure in the United States, such as transportation, energy, chemicals, and manufacturing, depend on security and reliability in order to keep the country safe and operating smoothly.
On February 12, 2013, President Barack Obama issued an Executive Order to improve cybersecurity in critical infrastructure due to the alarming number of cybersecurity breaches to U.S. critical infrastructure. The Executive Order was created “to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties."
The U.S. Government worked together with NIST to develop a framework (over the course of many iterations) that could be used by any organization whose processes, products, services, technology, or operations directly impacts the nation’s critical infrastructure. As a third-party, unbiased agency, NIST was chosen to construct the framework based on their extensive experience in data protection, partnerships in various industry, education, and government entities, and overall cybersecurity intelligence.
So, what exactly is the NIST Cybersecurity Framework?
In accordance with the Executive Order, the Cybersecurity Framework was established by adhering to requirements such as:
- Identify security standards and guidelines applicable across sectors of critical infrastructure
- Provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach
- Help owners and operators of critical infrastructure identify, assess, and manage cyber risk
- Enable technical innovation and account for organizational differences
- Provide guidance that is technology neutral and enables critical infrastructure sectors to benefit from a competitive market for products and services
- Include guidance for measuring the performance of implementing the CSF
- Identify areas for improvement that should be addressed through future collaboration with particular sectors and standards-developing organizations
The NIST Cybersecurity Framework is broken into three parts: core, profile, and tiers. The CSF core refers to the activities and outcomes of cyber security adoption. Profiles vary for each organization. They are chosen and optimized depending on the organization's unique challenges, needs, and opportunities to address different core objectives. Tiers specify to what level an organization addresses each of the CSF elements. It is not necessarily based on maturity levels but based on what level is necessary and acceptable for each element for the specific organization.
While the core functions of NIST CSF include categories, subcategories, and informative references, we’re going to focus on outlining the five core functions from a 500-foot view:
NIST Cybersecurity Framework Function #1: Identify
The first core function is Identify. The purpose of this function is to establish what assets your organization relies on for business production to understand what you need to protect. These assets include the equipment, people, devices, systems, and data that make up the business environment.
Understanding the various objectives and processes within your company then determines the level of risk associated with each asset and to which tier you should assign it for prioritization. The more critical the asset is to business success and security, the higher its security should be prioritized.
The policies, procedures, and processes should also be identified to assess any constraints, gaps, or potential exposure they have to being attacked. Once you have visibility into all your assets, you should configure a baseline for the normal and approved activities of each asset.
NIST Cybersecurity Framework Function #2: Protect
The next core function in the CSF is Protect. Now that you have identified and classified your assets, you’ll want to proactively protect them against internal and external cyber threats. This includes a number of technical and procedural controls such as providing physical and electronic access restrictions on asset access, end point hardening, the deployment of security specific tools to protect and monitoring health among many others.
Different types of access (i.e. physical, virtual/remote) require varying levels of cybersecurity protection. While physical security access is not always forefront in cyber, the NIST CSF is more heavily focused on electronic and procedural controls due to their criticality.
This core function also requires a host of security maintenance policies and procedures be developed and deployed such as software patch management and whitelisting. These are two of the most common practices that materialize within vulnerability management and protection.
NIST Cybersecurity Framework Function #3: Detect
Detect is the third core function. Here, we’re looking for red flags within and among/between our assets. During the Protect function, you likely created a baseline for what normal behavior looks like on the asset as well as on the networks they reside in. That way anything that doesn’t match this baseline can be flagged as anomalous behavior and likely in need of additional investigation or correction. Monitoring assets for anomalous behavior on a regular basis allows you to detect suspicious activity in a timely matter so you can stop an attack (hopefully) before it happens.
NIST Cybersecurity Framework Function #4: Respond
Now that we’ve detected red flags and anomalous behavior within our assets (yikes!), let’s do something about it. Organizations develop playbooks that determine what actions should take place in the event of a cybersecurity attack.
Response processes and procedures should be updated regularly to incorporate ongoing changes as organization systems evolve, improved from lessons learned from response activity results, be effectively communicated to appropriate participating stakeholders. Your policies are only as good as the education you provide the people who will be relied on to covert policies into action in pivotal moments.
NIST Cybersecurity Framework Function #5: Recover
The final core function in the NIST CSF is Recover. We’ve detected threats in our assets and took action to remediate the problem. Now we want to get our systems back to where they were before the attack. It’s crucial to continuously backup the current state of your systems so you can restore the effected assets back to a state of normalcy in a timely matter. You’ll also want to assess how much damage was done from the cyberattack, and determine what actions are needed to future-proof the system. What lessons did you learn, and how can you establish stronger security methods to protect your identified assets against identified vulnerabilities and potential threats?
This brings us back to Identify, where you can re-configure a baseline for what “normal” looks like.
What does the NIST CSF mean for OT security?
Ultimately, the NIST Cybersecurity Framework is not a one-size-fits-all solution for managing cyber security risk as every company faces different threats, levels of severity, and points of intrusion. This is where the NIST CSF profiles and tiers come into play for organizations to determine which strategies are essential to protecting their critical infrastructure.
In the world of OT cybersecurity, industrial companies are coming to the realization that their manufacturing or processing facilities are at risk from both targeted and untargeted cybersecurity threats. While awareness of the issue is growing, many struggle to grasp exactly how to make an impact in protecting these critical assets.
Verve Industrial Protection has a successful track record in assisting industrial companies increase their maturity relative to the NIST CSF standards through our professional design, and support services as well as by deploying the Verve Security Center on customers’ OT or Industrial Control Systems.
No matter where you are in the cybersecurity journey from a basic understanding to more mature adoption, we can help you significantly increase your level of defense and reliability with our end-to-end solution to assist with all five core functions of the NIST CSF. See how you can start implementing the framework today: