Last week NIST published a draft of the US government’s Cyber Security Framework (CSF). If the CSF was a recipe that was used by three different chefs, one of them could end up with fish soup, the next with apple pie, and the third with nothing but a messy kitchen. In less metaphorical words, a fundamental problem of the CSF is that it is not a method that, if applied properly, would lead to predictable results. The CSF is just another take on how to approach cyber risk in a way that is somehow aligned with NIST-800, ISA-99/IEC-62443, NERC CIP, ISO/IEC 27001, ES-C2M2, and COBIT. However, application of the CSF has no predictable effect on empirical system properties and measurable cyber security assurance.
There are two major reasons for this. The first is the reliance on the concept of risk, which was, oddly enough, mandated by Presidential Executive Order 13636. Regardless of the popularity of risk parlance, risk-based approaches in ICS security lack empirical foundation, and the outcome of a risk assessment can be stretched in any direction. For an in-depth discussion see the Bound To Fail paper by Ralph Langner and Perry Pederson.
The second reason is the introduction of implementation tiers in the CSF, which basically correspond with cyber security capability maturity levels. According to the CSF, the organization is free to choose its desired implementation tier, depending on organizational goals and feasibility. Quote: “Organizations should determine the desired Tiers at the Category level, ensuring that the selected levels meet the organizational goals, reduce cybersecurity risk to critical infrastructure, and are feasible to implement”. An organization can simply decide that their target implementation tier is zero, which basically means a completely immature cyber security process, and still be conformant with the CSF. The CSF allows any organization, no matter how good or bad at cyber security, to be CSF-conformant. It makes everybody happy. Everybody, including potential attackers.
So what does a cyber security framework need to look like that avoids these flaws and makes a difference? We created one for industrial control system installations that we call RIPE, an acronym for Robust ICS Planning and Evaluation. A brief description of the framework is given in a technical whitepaper that is available for download. Asset owners interested in implementing RIPE are encouraged to contact us.