In the final part of our analysis of the NIST Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity (NIST CSF) we look at the big picture and elaborate on similarities and differences between the CSF and our own RIPE Framework.
Maybe the most puzzling aspect of the NIST CSF is that it is sold as the government’s cure for one of the most serious national security challenges we must confront, namely the protection of systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters against cyber attacks. It is clear that the CSF cannot deliver on the very proposition that initiated the whole effort, for several conceptual and methodological reasons:
- Nowhere does the CSF or EO 13636 specify any criteria what the required or even desired state of critical infrastructure cyber security would be, let alone how it could be measured, and what level of effort the government expects from the private sector to close the gap however small or large it may be.
- The conceptual core of the CSF is risk management based on the needs and preferences of individual businesses. It is not logical to assume that an economical optimization process that aims at reducing cost (both of potential incidents and of mitigation efforts) would somehow magically reduce emergent cyber risk like that of a critical infrastructure sector at large.
- Throughout the NIST CSF, conceptual flexibility is introduced where methodological rigor would have been desirable. Leaving it at the implementor’s discretion which of the 98 Subcategories to put in a Profile, which Implementation Tier to chose, how to fill the Subcategories with hardcore content, and which cyber security gaps to mitigate simply means that the most secure and the most insecure installation can both be CSF-conformant. In other words, just following the NIST CSF doesn’t in itself make anyone more secure.
- By being completely abstract and vague about the how-to of implementation, the NIST CSF falls short of solving one of the biggest problems of cyber security: Making mitigation cheaper, standardized, and measurable. NIST CSF users still need to hire an army of witch doctors who tell them how to implement what NIST may “really” have meant, simply because NIST failed to frankly tell. A more practically useful approach would have, for example, acknowledged the fact that the eight critical infrastructure sectors where cyber security is closely tied to industrial control systems need something very different from the other half of critical infrastructure sectors.
Let’s compare this to the RIPE Framework.
First, RIPE is 100% focused on the cyber security of industrial control system installations and does not address IT security since both are so much different. However, RIPE is not limited to critical infrastructure but can also be applied to manufacturing environments, food & beverage etc.
Second, the Domains chosen in RIPE (similar to NIST Categories) have their roots in first principles. They cover the eight areas with an impact on the reliability of control system functionality, from supply chain via configuration to policies and procedures. The other aspect in RIPE that roots in first principles is the concept of cyber security capability which is completely missing in the NIST CSF. It basically teaches that we have to move away from illusionary security (a.k.a. security theater) where it is simply assumed that security controls would do a perfect job at what they’re advertised for – without checking how valid such claim can be, and how well implementation is done on the real plant floor.
Third, RIPE includes the whole package that the asset owner needs, from cyber security program to implementation checklists, policy documents, database schema etc. All of this is missing in the NIST CSF. For example, NIST simply tells you to pick your own cyber security program, not recognizing the fact that useful programs don’t grow on trees.
Fourth, RIPE is fact-based and allows for metrics and benchmarks. You have often heard that you cannot improve what you cannot measure. Well, the RIPE Framework comes with metrics for all domains that not only allow you to measure performance and compare it against peers, but even to empirically answer questions like “did our extended training program deliver any results on policy compliance”. It is one of the more astonishing characteristics of the NIST CSF that strong ties to empirical reality and measurements are missing.
Fifth, the RIPE Framework is maintained by a private company (The Langner Group). This means that RIPE users can receive regular updates of RIPE templates that include improvements and address new products and vulnerabilities. It also means that they can receive analytic reports based on audits that include insight and intelligence from the best analysts in the field, without being afraid of potentially disclosing “too much” to a government agency. Our analytics focus on emergent vulnerabilities and incorporate all the lessons learned from our Stuxnet analysis – something you don’t get from any other organization.
There is an irony in RIPE. As much as we have criticized the government’s cyber security activities and inactivities, we strongly believe in one of the same government’s propositions and take it even further (i.e. without stretching the idea of public-private sector partnership): The private sector can actually solve most of the problem on its own. What we at The Langner Group work hard to achieve is to solve that problem in the most reliable and cost-efficient manner – that’s actually the RIPE value proposition.