Federal regulators are adapting voluntary cybersecurity standards to suit industries they oversee, for what could pan out to be requirements.
Boat owners became the latest "critical infrastructure" industry that might be obliged to follow certain steps for identifying, thwarting and recovering from a network breach.
The voluntary "Framework for Improving Critical Infrastructure Cybersecurity” was released by the National Institute of Standards and Technology almost a year ago. The framework is part of a 2013 executive order to secure private computer systems that, if disrupted, could cause catastrophic damage to society.
In general, the business community objects to mandatory cyber standards. The Obama administration, responsive to concerns, has not pushed for enforcement.
Right now, most of the guidelines regulators are putting out only advise following the framework. But the agencies are developing protocols around it, too.
"The Coast Guard encourages vessel and facility owners and operators to adopt the cybersecurity framework voluntarily to achieve a minimum standard of cybersecurity protection," states a Dec. 12 notice posted in the government's daily journal, the Federal Register. The agency plans "to engage the public and obtain comments to assist in the drafting of procedures" at a D.C. public meeting Jan. 15, 2015 to "identify and address cybersecurity risks" that could cause fatalities, environmental damage, transportation disruptions or economic devastation.
The procedures could include standards, guidelines and best practices, Coast Guard officials said.
The comment period closes Jan. 29 on Regulations.gov, a public website where individuals and organizations can submit written responses.
NHTSA Crafts Computer Security Program for Talking Cars
The Food and Drug Administration recently began similar adjustments to the voluntary standards.
The agency held Oct. 21 and 22 a public workshop for medical device manufacturers, after issuing guidelines earlier that month promoting the NIST framework. The FDA meeting was slated to discuss "adapting and implementing the framework to support management of cybersecurity risks involving medical devices."
The agency is developing standards as part of a more comprehensive cyber program for the health care industry, officials said.
"Cyber vulnerabilities may result in medical device malfunction, disruption of healthcare services including treatment interventions, inappropriate access to patient information, or compromised electronic health record data integrity," an announcement about the FDA workshop stated. As tools become more interconnected, "rather than impacting a single device or single system, multiple devices or an entire hospital network may be compromised," when there is a digital attack.
Likewise, the National Highway Traffic Safety Administration has endorsed guidelines in the framework. The standards “could allow the automotive industry to develop a security program for modern day automobiles analogous to information security programs in place for information technology systems,” NHTSA officials said in an Oct. 7 request for comment on automotive control system security.
Cars sometimes carry more than 60 computers, supporting networks and a bevy of external connections -- think Bluetooth and Wi-Fi communications. Researchers from the University of California, San Diego and the University of Washington demonstrated that even CDs can infect vehicles. Dozens of embedded computers control everything from tire pressure displays to door locks, and potentially car-to-car talking.
In a Dec. 8 response letter, officials at General Motors told NHTSA to consider tweaking standards listed in the framework but not to mandate them.
"We are not aware of concerns with electronic component safety and/or cybersecurity that could not be addressed by voluntary standards," Brian Latouf, GM director for global vehicle safety, said.
The tech industry's response also urged turning to NIST and the framework for help with an automobile cyber program.
"As NIST continues to work on the framework, NHTSA should engage in providing input directly to complement efforts of automotive and technology industry participants who are using or planning to use the framework to bolster their own security practices," Danielle Kriz, director of global cybersecurity policy for the Information Technology Industry Council, said Dec. 8.