I think everyone that reads my materials knows that I am a BIG believer in the NIST Cybersecurity Framework V 1.1. This short article from NIST's Ron Ross contains some insights and guidance, which I found useful. Here are my key take-aways:
- In today’s cyber environment, diverse and highly skilled adversaries including nation-states, transnational groups, and criminal gangs, are seeking to subvert our critical systems such as the power grid
- The National Security Agency (NSA) and the Department of Homeland Security (DHS) recently issued an alert recommending that all asset owners and operators of critical infrastructure take immediate steps to reduce exposure across their operational technologies and control systems. [ RJB Alerts from CISA and NSA are meant to protect us, not scare us - take these alerts seriously, these are trusted organizations with ground truth ]
- NIST has resources that can help our critical infrastructure sectors as they implement the recommendations from NSA and DHS. NIST provides Industrial Control Systems (ICS) security guidance and state-of-the-practice security controls to help organizations implement many of these recommendations along with practical example solutions.
- NIST also has extensive guidance on developing cyber resilient systems, capable of addressing attacks from Advanced Persistent Threats.
- But what about the long-term solution for protecting critical systems in an era of complex systems, hyper connectivity, and cyber-physical convergence? NIST, along with its agency partners and industry, is working on that. In addition to the resources listed above, the following references may also be useful to help ensure that critical systems have the appropriate levels of protection, assurance, and resiliency to facilitate trust in those systems.
- Energy Sector Security Applications
- Secure Software Development Framework
- Report to the White House on Reducing Software Vulnerabilities
In addition to the linked article below, I highly recommend watching the SNG Cybersecurity Virtual session from 7/22: https://www.fedscoop.com/events/snglive/cybersecurity-july/