This story was updated to provide a comment from Ed Skoudis.
The U.S. government has released preliminary guidelines for key industries on how to shield company systems from destructive attacks that could, for example, knock out electricity or halt transportation.
The voluntary rubric, which was released Tuesday afternoon, homes in on the upper echelon of firms. The rationale being that information technology managers can't bolster security without financial and leadership support from top officials, such as board directors.
In February, President Obama issued an executive order to protect networks running U.S. critical infrastructure that required the National Institute of Standards and Technology to produce final guidelines by November. NIST officials this week said they anticipate publishing official draft guidelines in October.
Tuesday’s plan includes an information flow chart with five "functions" -- factors that affect companies’ vulnerability levels, including the degree to which firms know, prevent, detect, respond, and recover from threats. Each function includes sub-factors such as contingency planning for the recover category. There also is space to enter relevant industry standards and other existing guidelines, which are provided in a separate document released on Tuesday.
Once a firm fills out the flowchart with applicable information, then there is another chart intended to illustrate the company's current security status.
Each of the five factors is broken down by job position: senior leader, business process manager and operations manager. For the contingency planning subcategory, a senior leader at a company with low-level security might write, for instance, "I'm not sure about redundancy for my critical data," while a firm with a stronger security posture might write, "There is a clear strategic plan in place for the protection of critical data and essential services." An operations manager who works at a firm with low-level security might write, "My organization's critical data is contained in one location."
On Tuesday, NIST officials said the proposed practices reflect feedback from a request for public comment, along with two East Coast workshops and other industry outreach events. Next week, the institute will host a seminar in San Diego. There will be sessions for attendees to complete practice charts, according to NIST officials.
Adam Sedgewick, NIST senior IT policy adviser, said in a statement, "we are pleased that many private-sector organizations have put significant time and resources into the framework development process.”
“We believe that both large and small organizations will be able use the final framework to reduce cyber risks to critical infrastructure by aligning and integrating cybersecurity-related policies and plans, functions and investments into their overall risk management,” he added.
The procedures are optional, and are seen as a stopgap measure until Congress can agree on computer security legislation. Many Democrats would like federal law to mandate that the government enforce such cybersecurity controls, while many Republicans object to regulations and would prefer the government offer companies better threat intelligence. Business leaders have said they need more insights into targeted viruses and more information-sharing among industry about computer breaches.
The order allows such communications, but not liability protections for companies that admit to infected systems.
Some critical infrastructure researchers applauded the administration's attempt to align cyber defenses nationwide.
The plan does "include a lot of moving parts, but information security itself is quite complex. I think the NIST framework will be helpful for critical infrastructure providers to sort out what their current capabilities are, and what they need to do to have a well-thought-out approach to cyber security. This is definitely a step forward," said Ed Skoudis, founder of Counter Hack Challenges, which constructed "CyberCity," a 3-D model town that agencies and businesses are using to practice securing water filtration and other critical industry networks.
The original headline of this story incorrectly said NIST was proposing regulations. The guidelines are voluntary.