NIST Releases Cybersecurity Framework

National Institute of Standards and Technology (NIST) has released the first version of its Framework for Improving Critical Infrastructure Cybersecurity. Created through industry and government collaboration, the Framework consists of standards, guidelines, and practices to provide industry with a “prioritized, flexible, repeatable, and cost-effective approach to help owners and operators of critical infrastructure manage cybersecurity-related risk.”

In terms of how it impacts Automation World readers, the Department of Homeland Security identifies critical infrastructure as including the following industry types:
• Primary metal manufacturing;
• Machinery manufacturing;
• Electrical equipment, appliance and component manufacturing;
• Transportation equipment manufacturing;
• Chemical processing, including specialty, agricultural, pharmaceutical and consumer products chemicals;
• Defense industry;
• Electricity, petroleum and natural gas industries;
• Food and beverage processing and manufacturing; and
• Water/wastewater

Access the Department of Homeland Security’s list of identified critical infrastructure sectors.

The Framework is the result of Executive Order (EO) 13636: Improving Critical Infrastructure Cybersecurity and Presidential Policy Directive (PPD)-21:Critical Infrastructure Security and Resilience issued by President Obama in February 2013.

Following the announcement of the Framework’s release, Rockwell Automation endorsed it. “Rockwell Automation is honored to have actively contributed to the development of the Cybersecurity Framework that will help address cyber risks to critical infrastructure and manufacturing processes alike,” said Keith Nosbusch, chairman and CEO of Rockwell Automation. “This guideline provides a flexible structure that can help organizations improve information security protection programs to manage risks to industrial control and information systems."

The Department of Homeland Security's Critical Infrastructure Cyber Community C³ Voluntary Program was also formally announced at the time of the Framework’s release.  The Critical Infrastructure Cyber Community C³ (pronounced “C Cubed”) Voluntary Program is the coordination point within the Federal Government for critical infrastructure owners and operators interested in improving their cyber risk management processes. The C³ Voluntary Program aims to:
• Support industry in increasing its cyber resilience;
• Increase awareness and use of the Framework; and
• Encourage organizations to manage cybersecurity as part of an all hazards approach to enterprise risk management.

NIST also issued a companion Roadmap that discusses NIST's next steps with the Framework and identifies key areas of cybersecurity development, alignment, and collaboration.