Cyvera and NIST Cyber Security Framework

By Yiftach Keshet | November 26, 2013

The National Institute of Standards and Technology (NIST) is currently finalizing a draft of its cyber security framework for critical infrastructures. The formal draft version, when released, will be available for public review until February 2014, according to the original schedule. Once the review is complete, NIST will release a final version of the standards that incorporates changes recommended by stakeholders. The framework adds an additional security layer on top of the 2012 updated FISMA, which suggested the phrase ‘continuous monitoring’ as a way to describe a sound entity’s cyber security policy. This puts strong emphasis on the security components of trusted internet connections, network monitoring, and strong authentication.

These security components do not suffice to withstand attacks with advanced persistent threats seen in recent years. Acknowledgement of this inherent FISMA security gap is the point from which the NIST framework was initiated.

The framework widens and deepens the ‘Continuous Monitoring’ concept to include malware detection and mitigation abilities, which are altogether absent from the initial ‘Continuous Monitoring’ FISMA standard:

Identify – Develop the institutional understanding of which organizational systems, assets, data, and capabilities need to be protected, determine priority in light of organizational mission, and establish processes to achieve risk management goals.

Protect – Develop and implement the appropriate safeguards, prioritized through the organization’s risk management process, to ensure delivery of critical infrastructure services.

Detect – Develop and implement the appropriate activities to identify the occurrence of a cyber-security event.

Respond – Develop and implement the appropriate activities, prioritized through the organization’s risk management process (including effective planning), to take action regarding a detected cyber-security event.

Recover – Develop and implement the appropriate activities, prioritized through the organization’s risk management process, to restore the appropriate capabilities that were impaired through a cyber-security event.

The NIST framework is not mandatory but rather specifies three optional commitment degrees. Each critical infrastructure entity is free to choose which level to adopt and implement its security system accordingly.

For better understanding of the voluntary guidelines concept’s practical implications, we can compare it to the power grid case. The Federal Power Act grants FERC authority over the bulk power system, but most of the smart-grid equipment that creates vulnerabilities is installed on local distribution systems beyond its jurisdiction. As a result, the National Institute of Standards and Technology (NIST) has put together a three-volume set of smart-grid cyber security standards. Since these standards are not obligatory they are not followed by most utility companies. Moreover, none of the utility companies will be held responsible for damage derived from not following these standards.

The new guidelines work differently. The ground assumption is that a critical infrastructure entity is held responsible for all detriments resulting from cyber-attacks. The framework’s aim is to clarify how to meet this responsibility correctly. Each entity is free to adopt or reject the guidelines according to its set of priorities, but decision makers should keep in mind that while there is no regulative power to require and audit cyber security implementation beforehand, they will still bear the legal and financial implications of a successful cyber attack. The implications of decision makers’ misjudgment on the appropriate security commitment could be grave.

Cyvera TRAPS and Cyvera P3 for ICS-SCADA systems are built to block and reveal targeted attacks at the exploitation phase. It is the stage in the attack’s life cycle when the attacker is still striving to hack its way in, and precedes (and in fact is a prerequisite for) the malware execution phase. Therefore, dismantling the attack at the exploitation stage terminates it completely.

The thorough security achieved by Cyvera meets and elevates the core security intentions and requirements of the NIST framework as it unifies detection, response and recovery in one solution. The ability to shut down attacks at a preliminary level ensures zero time from the initial block to full recovery.