What can be done to reduce the cyber risk to the U.S. infrastructure, and is it possible to establish a reasonable cybersecurity framework that will be detailed enough to be useful and general enough to work across sectors and across time as threats evolve? That’s the challenge facing the National Institute of Standards and Technology (NIST), which is the body in charge of implementing the President’s February 12 Executive Order on Critical Infrastructure Cybersecurity.
To work toward that goal, NIST asked for industry comments. Nearly 250 [updated after 2nd workshop: final count was 243] commentators, including those representing single companies and those representing sectors, responded to NIST’s request. Their suggestions will serve as the raw material from which the framework will be constructed.
Some commentators pointed out the limitations of any effort. The Industrial Control System Information Sharing and Analysis Center (ICS-ISAC), for example, noted that “given realistic resources, vulnerability reduction alone cannot reduce aggregate risk to an acceptable level at any point in the foreseeable future.” Moreover, it noted that known attacks against critical infrastructure have employed zero-day attacks—exploiting vulnerabilities not previously known. Thus, it writes in its NIST comment letter, those attacks “would have been successful even if all known vulnerabilities to the target systems had been remediated.”
ICS-ISAC also notes the challenges unique to utilities: “Methods as basic as the application of software patches become extremely problematic in ICS environments where the consequence of such a patch causing a fault may be higher and more likely [to occur] than the problem fixed by the patch, or where no ‘off hours’ window of opportunity to apply such patches presents itself.”