The Cyber Engineering Working Group has developed the guidance below on selecting Cyber Standards. Feedback is sought from the Community as follows:
· Is this sort of material useful?
· Are there any specific topics the community would like covered?
· Is there a preference for less in depth or deeper dives into specific subjects?
Selecting Cyber Standards
Introduction
Engineer’s desire to address cyber security by applying a standard. This has been the traditional approach to problems, apply a standard and when accomplished, the job is done. Issues in cyber security continue to evolve and erode this capability. A system made secure today may be wide open tomorrow as new “zero day” vulnerabilities are found. This does not mean that standards are not applicable to cyber security. It means that any system state needs to remain agile to the changing environment.
Standardisation communicates a known state. When we hear a system has achieved a certain standard, we don’t have to delve into the intricacies of what a system does or does not do, we assume that certain things are in place. The alure to implement a standard to prove that the job is done pervades engineering. However cyber security challenges this view.
Many cyber security standards are risk based providing a framework in which to describe a complex system and identify the outcomes without prescriptive measures. This can be challenging as there is still a level of subjectivity that requires care and knowledge to navigate. One situations compliance with a standard could be grossly negligent in another. Context and consequence are critical for interpretation.
Should cyber standards be part of the solution? The short answer is yes. Standards capture good practices and cause us to consider a range of measures that might not otherwise be addressed. The number of standards available to address cyber is in the hundreds. Application of a standard is meant to provide:
· Reduced costs
· Efficiency
· Mitigation of risks
· Consistency
· Customer confidence
· Uniformity
· Assist in elimination of trade barriers
· A common language
· Provide universal vendor requirements
So which standards are the most appropriate to our systems?
Graphic courtesy of Malcom Bailiem, Nozomi Networks
Context
Context is a key element of selecting standards. Choices need to me made based on many factors including, industry, lifecycle, technologies being used, the criticality of the systems, cost of implementation, regulation and the authority to select.
Specifying or adopting more standards is not necessarily better. There is considerable overlap between standards however they often take different paths to the similar outcomes. By mixing a more prescriptive standard such as NIST with a risk-based standard there are considerable overheads that can be created. This can distract organisations for managing risk to meet the requirements of each standard.
As a customer
There needs to be a reason for selecting a standard to impose on suppliers. Imposing a standard on a company that already meets alternate standards will come at additional cost. We should be asking “what is wrong with the standard that is already implemented?” Uniformity is not an answer. Suppliers of suppliers will implement other standards for their components and the next customer of a supplier may require a different standard of the same system. What does it mean to impose a standard and what is the cost that will be imposed?
An examination of the standards in use is a better approach. This can be achieved by writing requirements that specify a standard along with “or equivalent”. Using this approach, a risk-based decision can be made to accepting alternate standards and including additional requirements to make up any shortfall.
Maturity models can be used to assess a supplier’s approach to cyber. The advantage of using a maturity model is that they are generally agnostic to the supplier’s choice of cyber standards and frameworks. A number of models exist such as
· C2M2 - Cyber Security Capability Maturity Model
· CDCAT - Cyber Defence Capability Assessment Tool
· IAMM - IA Maturity Model
· ISF - Information Security Forum
· CSET - Cyber Security Evaluation tool.
Be aware that standards compliance is less effective in some situations such as online services. There are alternate approaches to understanding supplier quality that can give a better indication of supplier quality such as Statements of Operating Controls (SOC) reports.
As a designer/developer
The stage in a systems life cycle affects the standards being used. Many of the NIST and ISO standards are aimed at existing systems. This is in line with the need to retrofit cyber into legacy systems, rather than designing cyber security into systems. In development, the first step should be to select an architecture and then coding standards for the developers.
Development standards are needed to build cyber resilience into systems. Development standards such as OWASP and the CMU Cert Secure Coding should be considered. The OWASP has been developed for web applications but can be used in part for other developments. CMU Cert Security Coding relate to C and C++ development but can be adapted to other languages.
Operational technology should look at meeting specific technology cyber standards. At the time of writing, there are over 180 different standards available that address cyber depending on the type of technology (e.g.: NIST SP 800 121 Guide to Bluetooth Security). Standards selected should be chosen that best fit with the technology over applying a horizontal standard such as ISA/IEC 62443 Standard Series for Securing Industrial Automation and Control Systems.
Information technology standards such as ISO27000 series and NIST 800 series have been developed to address ICT and Web technology. These are common and are recommended for addressing ICT systems.
The cost of implementing a standard should be considered. Selecting a standard that does not have a fit can lead to an overhead in managing requirements which may not be relevant. Requirements, in these standards, may not cover all the aspects of what may be needed to secure the technology.
The Australian Government relies on the Information Security Manual. This document provides a set of practices and control guidelines for implementing systems to meet information security needs based on classification of information. These requirements are weighted to preventing and controlling access to classified information rather than cyber physical systems.
As a manager
Cyber management frameworks look at addressing management of cyber within an organisation and can be applied to the development environment. They cover topics such as Governance, Security Architecture, Security Policy, Password Policy, Risk Management, Compliance, Identity management, Workforce Management, Situational Awareness, Vulnerability Management, Supplier Management, Vendor Assessment, Asset and Configuration Management, Operations & Event Management, Business Continuity & Disaster Recovery, and Security Behaviour & Training. Selection of a cyber framework can set the scene for development of a system as well as for deployment and operation.
NIST and ISO2700 series contain cyber management frameworks. ISO 27001 involves auditors and certifying bodies, while NIST CSF is voluntary. The NIST framework consists of control catalogues and five functions to customise cybersecurity controls. ISO 27001 contains 14 sets of control categories and 10 management clauses to guide organisations. Selection is a choice, and both achieve an acceptable level of cyber management.
Finally, there as less well known but highly effective standards such as the Information Security Forums (ISF) standard of good practice that is a synthesis of NIST, ISO and 500 large organisations own cyber security standards. This sits alongside country and sector specific standards and regulatory frameworks such as NERC-CIP (US Energy), TS5701 (rail) etc.
Others that have made standards recommendations
Choosing the Right Cyber Security Standard (Harmonisation Taskforce) | G+T (gtlaw.com.au)