One of the latest calls for better cybersecurity arrived in the form of the Obama Administration's Executive Order on Feb. 12, which assigned the National Institute of Standards and Technology (NIST) to develop a framework for improving critical-infrastructure cybersecurity. Likewise, NIST's draft framework includes a draft compendium of informative references, which reviewed more than 320 national and international standards, guidelines, directives, best practices, models, specifications, policies and regulations. Some of these organizations include: ANSI, ISA, NERC, API, ISO, IEC, NEI, NIST, NFPA, OIG, OLF, OPC, SANS, TIA and others.
Naturally, some common themes on cybersecurity best practices have emerged. "The basic cybersecurity process involves identifying critical assets, doing security risk assessments for them, deciding how the cybersecurity framework applies to them, and coming up a mitigation plan and actions to comply with it," explains Michael Martinez, CISA, principal in Invensys' Critical Infrastructure and Security Practice.
NIST's preliminary framework has five steps: know, prevent, detect, respond and recover:
- Know means gaining the institutional understanding to identify what systems need to be protected, assessing their priority in light of the organization's mission, and managing processes to achieve cost effective risk management goals.
- Prevent consists of categories of management, technical and operational activities, which enable the organization to decide on the appropriate outcome-based actions to ensure adequate protection against threats to business systems that support critical infrastructure components.
- Detect includes activities that identify, through ongoing monitoring or other means of observation, the presence of undesirable cyber risk events, and the processes to assess the potential impact of those events.
- Respond involves making specific risk-management decisions and enacting activities based on previously implemented cybersecurity planning, completed at the Prevent stage, relative to estimated impact.
- Recover includes categories of management, technical and operational activities that restore services, which were previously impaired by an undesirable cybersecurity risk.