NIST Cybersecurity Framework

As we discussed in our earlier blog, hackers attempt to access data, whether user data or machine generated data or to disrupt operations. Since the problem is universal, it has become a common agenda for industry bodies and associations to recommend best practices and guidelines — collectively known as a cybersecurity framework. The NIST Cybersecurity Framework ensures that embedded products are secure and are protected from cyber-attacks. By implementing good security practices, product owners can keep their devices safe, meet regulatory standards, build trust with customers, avoid losses and prevent damage to the brand reputation. This blog will introduce the NIST Cybersecurity Framework, touch up on different industry specific CSF options and then delve into the NIST Framework in detail. Embien's digital transformation services include cybersecurity program implementation aligned with the NIST Cybersecurity Framework for embedded and IoT products.

Introduction to cybersecurity Framework

A cybersecurity framework serves as a guide for product owners to build a robust security posture. It helps in understanding the current risks, implementing protective measures, and establishing a resilient defense against potential attacks. This will assist in determining which activities are most important to ensure critical operations and service delivery. A cybersecurity framework will help in prioritize investments and maximize the impact of each investment spent on cyber security. It results in a shift from compliance to action and specifies outcomes by providing a common language to address cybersecurity risk management across industries. The NIST Cybersecurity Framework gives a measure of where the organization stands today and where it must be with respect to cybersecurity. It has built in maturity models and gap analysis, so companies don't need additional maturity models on top of the NIST Cybersecurity Framework.

Industry specific Cybersecurity Frameworks

Various industry bodies have come up with different industry specific CSF options to address needs particular to their domains. While the underlying theme of security is common across any industry specific CSF, the primary asset being protected varies and guidelines are specified accordingly.

Some of the cybersecurity frameworks that are widely in use today are captured below.

Cybersecurity Framework

• PCIDSS - This framework is for payment card industry and data security standards. It provides a set of security controls required to implement protected payment account security. It is designed to protect credit cards, debit cards and cash card transactions.
• ISO 27001/27002 - This framework provides information about best practices and recommendations for information security management.
• CIS - This is Center for internet security, which provides prioritized and practical guidelines aimed at protecting against the most common cyber threats. CISA (Cybersecurity and Infrastructure Security Agency) also provides guidance aligned with these frameworks.
• NIST - This was introduced for improvising critical infrastructure cyber security and its goal is to improve organization readiness for managing cyber security risk while leveraging standard process and methodologies. The NIST Cybersecurity Framework is one of the most widely followed industry specific CSF options.

Of these, the NIST Framework is one of the most widely followed frameworks across organizations and industries. We will look into components of the NIST Framework in detail below.

NIST CSF

In 2013, the President of United States of America issued an order to NIST (National Institute of Standards and Technology) to develop a voluntary NIST Framework based on existing standards and guidelines for reducing the cyber risk. The NIST Cybersecurity Framework has been developed in collaboration with stakeholders such as Private sector companies, Government agencies, Universities and hundreds of professionals and experts. Initial version CSF 1.0 released in 2014 and an upgraded version CSF 1.1 released in 2018. CISA has actively promoted adoption of the NIST Cybersecurity Framework across critical infrastructure sectors.

The NIST Framework contains 3 main components

• Framework Core
• Implementation Tiers
• Framework profiles

Framework Core

The Framework Core is the heart of the NIST CSF. It is a set of cybersecurity activities, outcomes, and informative references that are common across critical infrastructure sectors. It is organized into five high-level functions, which provide a strategic view of the lifecycle of an organization's management of cybersecurity risk. Each function is further divided into categories and subcategories.

Framework Core

Functions:

1. Identify - This function helps product owners to understand and manage cybersecurity risks to systems, assets, data, and capabilities. It is the foundation upon which all other functions are built.
2. Protect - The Protect function outlines appropriate safeguards to ensure the delivery of critical infrastructure services. It focuses on limiting or containing the impact of a potential cybersecurity event. For example, implementing access controls, conducting security awareness training, encrypting sensitive data, and regularly updating security measures.
3. Detect - The Detect function defines activities to identify the occurrence of a cybersecurity event promptly. Early detection is critical for minimizing the impact of an incident. For example, Monitoring network (Automotive CAN, Ethernet etc.) traffic for unusual patterns, maintaining intrusion detection systems, and establishing incident detection protocols.
4. Respond - It defines appropriate actions to take once a cybersecurity event is detected. Effective response activities minimize the impact of an incident.
5. Recover - It defines activities to restore services and capabilities affected by a cybersecurity incident. It focuses on resilience and recovery planning.

We will look in depth at these functions in a later blog.

Implementation Tiers

The NIST CSF implementation tiers and profiles provide context on how an organization can view cybersecurity risk and the processes in place to manage that risk. Implementation tiers help product owners/organizations determine the rigor and sophistication of their cybersecurity practices, making them a key part of the industry specific CSF approach.

Tiers:

1. Tier1 Partial - Risk management practices are not formalized, and risk is managed in an ad hoc and reactive manner.
2. Tier2 Risk informed - Risk management practices are approved by management but may not be established as organizational policy.
3. Tier3 Repeatable - Risk management practices are formally approved and expressed as policy. The organization's cybersecurity practices are regularly updated based on changes in business and threat environment.
4. Tier4 Adaptive - The organization adapts its cybersecurity practices based on lessons learned and predictive indicators. It has a proactive approach to cybersecurity. The organization adapts its cybersecurity practices based on lessons learned and predictive indicators. It has a proactive approach to cybersecurity.

Framework Profiles

A Framework Profile represents the alignment of the NIST Framework Core functions, categories, and subcategories with the business requirements, risk tolerance, and resources of the organization. As part of NIST CSF implementation tiers and profiles, profiles help product owners/organizations align their cybersecurity activities with their business requirements, risk tolerances, and resources. The NIST Cybersecurity Framework recommends identifying cybersecurity outcomes that are currently being achieved (Current Profile) and outcomes needed to achieve the desired cybersecurity risk management goals (Target Profile).

The NIST Cybersecurity Framework's Core, Implementation Tiers, and Profiles provide a structured and flexible approach for managing and reducing cybersecurity risk. A product owner can adapt the NIST Framework by identifying potential risks through vulnerability mapping, implementing robust security measures to protect sensitive data and systems, establishing real-time monitoring to detect threats and anomalies, and developing incident response plans to respond swiftly to breaches. They can ensure recovery strategies are in place to recover operations post-incident, use tiers to assess cybersecurity maturity, and develop profiles to tailor security measures to specific business needs — ensuring the product is secure, resilient, and compliant with industry standards. Our Cybersecurity Services support NIST Cybersecurity Framework functions, enabling effective risk management and enhanced system security.

Conclusion

The NIST Cybersecurity Framework's components — the Framework Core, Implementation Tiers, and Profiles — provide a robust foundation for managing cybersecurity risks. By understanding and implementing these components, product owners can develop a comprehensive, adaptive, and proactive cybersecurity strategy. As cyber threats continue to evolve, leveraging the NIST Framework ensures that embedded product owners are well-equipped to protect their critical assets, maintain trust with stakeholders, and achieve long-term resilience. The industry specific CSF approach, exemplified by the NIST Cybersecurity Framework, enables organizations of all sizes and domains to select and implement the right controls systematically. On February 26th, 2024, a revised version NIST CSF 2.0 was released, adding a new GOVERN function to strengthen organizational oversight. CISA continues to encourage adoption of the NIST Cybersecurity Framework across critical infrastructure globally. We will look into the improvements in the upcoming blog.