The federal government’s long-awaited Cybersecurity Framework offers promising tools for energy companies to manage their cybersecurity risk, but leaves many questions unanswered. The National Institute of Standards and Technology (NIST) issued its “Framework for Improving Critical Infrastructure Cybersecurity” (the Framework) to help enable organizations across industry sectors to inform and prioritize cybersecurity decisions. NIST developed the Framework, released on February 12, in response to directives in President Obama’s February 2013 Cybersecurity Executive Order. While the Framework offers a helpful blueprint for energy companies to build or improve cybersecurity risk management processes and activities, it remains unclear whether in practice the Framework will effectively become mandatory and whether it will be a useful tool to strengthen the resilience of critical infrastructure to cyber threats.
Below we provide an overview of the Framework, identify some of the material changes from the preliminary Framework issued by NIST in October 2013, and discuss some of the Framework’s implications for the energy industry.
An Overview of the Framework
The Framework’s Objectives.
The goal of the Framework is to enable an organization to build a cybersecurity profile that lays out how the organization manages cybersecurity risk, sets its related goals and priorities, and achieves those objectives. Using risk management processes, the Framework provides “a common language and mechanism” for organizations to describe their existing and desired cybersecurity postures, identify and prioritize ways to improve, assess progress, and improve internal and external communications related to their cybersecurity programs.
Cybersecurity profiles will differ, and the Framework does not present a “one-size-fits-all” approach to cybersecurity. Nor is the Framework intended to function as a “checklist” for industry participants. Rather, the Framework offers a toolbox from which organizations across industry sectors may pull instruments as appropriate to help develop and enhance their particular cybersecurity programs.
The Framework’s Structure.
Appendix A of the Framework offers a “Framework Core,” which provides a means of organizing cybersecurity activities across an organization’s entire business enterprise. This organizational structure is composed of the following factors (from most broad to most narrow):
Functions ask that an organization: (1) identify ways to promote an “institutional understanding” of what needs to be protected and the related risks and priorities; (2) protect systems and services; (3) detect a cybersecurity event; (4) respond to a detected cybersecurity event; and (5) recover capabilities and services from such an event.
Categories provide a means to organize activities closely tied to programmatic needs and include, for example, Asset Management (Function: Identify), Access Control (Function: Protect), and Detection Processes (Function: Detect).
Subcategories provide tactical groupings within each Category. For example, under the Asset Management Category, the Subcategories would have an organization inventory its physical devices and systems as well as software platforms and applications.
Informative References include a non-exhaustive list of specific standards, guidelines and practices to accomplish cybersecurity activities within each Subcategory.
The Framework includes four “Implementation Tiers” to measure the level of sophistication of an organization’s cybersecurity program. The Tiers assist organizations as they determine their current and target cybersecurity postures in each Category. Tier 1 represents the least formalized tier and includes reactionary, ad hoc procedures, while Tier 4 represents the most formalized tier and includes proactive, adaptive procedures.
The Framework does not insist that all organizations be, or be working toward becoming, Tier 4, the most sophisticated level. There are costs and benefits of operating at each Tier. Each organization should make its own determination of which Tier is appropriate based on a thorough understanding of the risks it faces and the costs of mitigating those risks using different methodologies. The Framework provides tools and concepts to enable organizations to make these decisions.
Changes From the Preliminary Framework
Much of the Framework mirrors what was included in the Preliminary Framework issued last October, with a few significant changes. Three sets of those changes are discussed here.
First, the Framework removes a controversial appendix on protecting privacy and civil liberties that went beyond what U.S. law currently requires to protect personally identifiable information (PII).
Second, in place of that controversial appendix, the Framework adds a new section providing a general methodology to ensure that privacy and civil liberties are adequately protected as part of an organization’s cybersecurity operations. Related concerns may include, but are not limited to:
Over-collection or over-retention of PII;
Disclosure or use of PII unrelated to cybersecurity operations; and
Adverse impacts on certain individual rights (e.g., freedom of expression or association).
To address these privacy and civil liberties concerns, the Framework recommends that organizations consider incorporating privacy principles into their cybersecurity programs. These principles include:
Minimizing PII collection, disclosure and retention;
Limiting use of PII collected;
Improving transparency for cybersecurity activities;
Developing individual consent and redress procedures for when PII is used;
Enhancing data quality, integrity and security; and
Developing improved accountability and auditing processes.
Although the Framework uses very permissive language in discussing these principles—such as, “organizations may consider”—it does create an expectation for privacy to be incorporated into security operations much more extensively than it likely is at most organizations currently. For example, most private businesses have incorporated disclaimers into their login screens that users should have no expectation of privacy when using company computers. Adoption of the Framework principles would require a significant change in that stance.
The Framework outlines several ways that organizations can address the privacy and civil liberties concerns outlined above. For example, an organization may develop training programs to educate personnel and third-party service providers about the organization’s privacy policies in the context of its cybersecurity program. A privacy-focused review may also be conducted to ensure that an organization’s cybersecurity program adequately accounts for privacy concerns, particularly when PII is shared with external parties as part of a cybersecurity activity.
Third, the Framework references the potential for international application and cooperation to improve critical infrastructure cybersecurity worldwide. This international aspect may have broad implications for companies operating in countries with existing cybersecurity regulations.
What This Means for Energy Companies
On the surface, the Framework appears helpful. It provides a process, conceptual structure and tools to develop and improve an organization’s cybersecurity risk management program. While programs may vary in sophistication and scope, every organization, particularly in the energy sector, should have a cybersecurity risk management program in place. Energy companies—including owners and operators of generation, transmission and distribution assets, oil and natural gas refineries and pipelines, and nuclear facilities—are high-risk targets for cyber attacks. Additionally, energy companies have unique, oftentimes highly complex concerns due to the interrelationship between traditional information technology (IT) and operation systems. The Framework offers energy companies a means and motivation to tune up or jumpstart their cybersecurity risk management programs to address cybersecurity risks.
Still, the Framework leaves some questions unanswered:
Voluntary vs. mandatory. While the Framework is framed as a voluntary initiative, in practice the Framework may emerge as the de facto industry standard and function as a mandatory requirement for industry participants. For example, in the absence of applicable, specific regulatory requirements, internal and external auditors may use the Framework as a standard by which to measure a particular organization’s cybersecurity risk management program. The courts also may view the Framework as a standard by which to judge liability claims arising from cyber attacks. Additionally, insurance companies offering cyber-related insurance options may factor in an applicant’s adoption and implementation of the Framework in coverage and premium determinations. The culmination of these approaches may drive companies to adopt the Framework, effectively making it mandatory.
Compliance vs. security. The Framework runs the risk of becoming a compliance document rather than a means of promoting enhanced, adaptable security. As auditors, courts and others take a “check the box” approach in their review and use of the Framework, the goal may shift to complying with the standards outlined in the Framework, rather than the ultimate objective of improving critical infrastructure security.
Duplicative or contradictory function. Although the Framework is consistent with some existing standards, it may also duplicate or, worse, contradict existing requirements, such as the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards. How the Framework will interact with the CIP Reliability Standards, other regulatory requirements, and industry standards will be telling for how the Framework will be received by industry participants.
Set standards or have them set for you. The Framework anticipates that more specific technical guidance, standards and best practices will be developed by industry sectors. For “critical infrastructure” industries, like energy, there will be pressure for industry groups to develop such sector-specific standards and encourage their adoption across the industry. If industries fail to act, there will be stronger motivation under the Framework for regulatory agencies and lawmakers to act in their stead.
Liability protections. The Framework does not—and cannot—provide liability protections to industry participants that adopt the Framework. These protections require legislative action and therefore are left to Congress and perhaps the state legislatures to address.
In sum, the Framework offers energy companies some useful tools for developing their cybersecurity programs. But as outlined above, the Framework leaves a number of important issues unaddressed. In releasing the Framework, NIST notes that this is only a first version, and that it now expects others to take up the work of filling in the blanks and answering the unanswered questions. Energy companies are encouraged to remain actively involved in shaping the content of future versions of the Framework to address the particular needs and concerns of the industry, and in the debate over whether or, more likely, how the Framework is used by regulators.