Gopalakrishnan M
05. May 2024 Categories: Technology,

As we discussed in our earlier blog, hackers attempt to access data, whether user data or machine generated data or to disrupt operations. Since the problem is universal, it has become a common agenda for industry bodies and associations to recommend best practices and guidelines aka cybersecurity framework. The Cybersecurity Framework ensures that embedded products are secure and are protected from cyber-attacks. By implementing good security practices, product owners can keep their devices safe, meet regulatory standards, build trust with customers, avoid losses and prevent damage to the brand reputation. This blog will introduce cybersecurity framework, touch up on different industry specific cybersecurity frameworks and then delve into NIST in detail.

Introduction to cybersecurity Framework

A cybersecurity framework serves as a guide for product owners to build a robust security posture. It helps in understanding the current risks, implementing protective measures, and establishing a resilient defense against potential attacks. This will assist in determining which activities are most important to ensure critical operations and service delivery. Framework will help in prioritize investments and maximize the impact of each investment spent on cyber security. It results in a shift from compliance to action and specifies outcomes by providing a common language to address cybersecurity risk management across industries. CSF (Cyber Security Framework) gives a measure of where the organization stands today and where it must be with respect to cybersecurity. It has built in maturity models and gap analysis, so companies don't need additional maturity models on top of CSF.

Industry specific Cybersecurity Frameworks

Various industry bodies have come up with different cybersecurity frameworks to address needs specific to their needs. While the underlying theme of security is common, the primary asset being protected varies and guidelines specified accordingly.

Some of the cybersecurity frameworks that are widely in use today are captured below.

Cybersecurity Framework

Cybersecurity Framework


  • PCIDSS - This framework is for payment card industry and data security standards. It provides a set of security controls required to implement protected payment account security. It is designed to protect credit cards, debit cards and cash card transactions.
  • ISO 27001/27002 - This framework provides information about best practices and recommendations for information security management.
  • CIS - This is Center for internet security, which provides prioritized and practical guidelines aimed at protecting against the most common cyber threats.
  • NIST - This was introduced for improvising critical infrastructure cyber security and its goal is to improve organization readiness for managing cyber security risk while leveraging standard process and methodologies.

Of these, NIST is one of the most widely followed frameworks across organizations and industries. We will look into components of the NIST framework.

NIST CSF

In 2013, the President of United States of America issued an order to NIST (National Institute of Standards and Technology) to develop a voluntary framework based on existing standards and guidelines for reducing the cyber risk. The framework has been developed in collaboration with stakeholders such as Private sector companies, Government agencies, Universities and hundreds of professionals and experts. Initial version CSF 1.1 released in a year and an upgraded version CSF 1.1 released in 2018.

Framework contains 3 main components

  • Framework Core
  • Implementation Tiers
  • Framework profiles

Framework Core

The Framework Core is the heart of the NIST CSF. It is a set of cybersecurity activities, outcomes, and informative references that are common across critical infrastructure sectors. It is organized into five high-level functions, which provide a strategic view of the lifecycle of an organization’s management of cybersecurity risk. Each function is further divided into categories and subcategories.

Framework Core

Framework Core


Functions:

  1. Identify - This function helps product owners to understand and manage cybersecurity risks to systems, assets, data, and capabilities. It is the foundation upon which all other functions are built.
  2. Protect - The Protect function outlines appropriate safeguards to ensure the delivery of critical infrastructure services. It focuses on limiting or containing the impact of a potential cybersecurity event. For example, implementing access controls, conducting security awareness training, encrypting sensitive data, and regularly updating security measures.
  3. Detect - The Detect function defines activities to identify the occurrence of a cybersecurity event promptly. Early detection is critical for minimizing the impact of an incident. For example, Monitoring network (Automotive CAN, Ethernet etc.) traffic for unusual patterns, maintaining intrusion detection systems, and establishing incident detection protocols.
  4. Respond - It defines appropriate actions to take once a cybersecurity event is detected. Effective response activities minimize the impact of an incident.
  5. Recover - It defines activities to restore services and capabilities affected by a cybersecurity incident. It focuses on resilience and recovery planning.

We will look in depth at these functions in a later blog.

Implementation Tiers

The Implementation Tiers provide context on how an organization can view cybersecurity risk and the processes in place to manage that risk. It helps product owners/organization to determine the rigor and sophistication of their cybersecurity practices.

Tiers:

  1. Tier1 Partial - Risk management practices are not formalized, and risk is managed in an ad hoc and reactive manner.
  2. Tier2 Risk informed - Risk management practices are approved by management but may not be established as organizational policy.
  3. Tier3 Repeatable - Risk management practices are formally approved and expressed as policy. The organization’s cybersecurity practices are regularly updated based on changes in business and threat environment.
  4. Tier4 Adaptive - The organization adapts its cybersecurity practices based on lessons learned and predictive indicators. It has a proactive approach to cybersecurity.The organization adapts its cybersecurity practices based on lessons learned and predictive indicators. It has a proactive approach to cybersecurity.

Framework Profiles

A Framework Profile represents the alignment of the Framework Core functions, categories, and subcategories with the business requirements, risk tolerance, and resources of the organization. Profiles help product owners/organization to align their cybersecurity activities with their business requirements, risk tolerances, and resources. NIST recommends identifying cybersecurity outcomes that are currently being achieved (Current Profile) and outcomes needed to achieve the desired cybersecurity risk management goals (Target Profile).

NIST Cybersecurity Framework's Core, Implementation Tiers, and Profiles provide a structured and flexible approach for managing and reducing cybersecurity risk. A product owner can adapt the NIST CSF by Identify potential risks by mapping vulnerabilities, implement robust security measures to protect sensitive data and systems., establish real-time monitoring to detect threats and anomalies, and develop incident response plans to respond swiftly to breaches. They can ensure recovery strategies are in place to recover operations post-incident, use tiers to assess cybersecurity maturity and develop profiles to tailor security measures to specific business needs, ensuring product is secure, resilient, and compliant with industry standards.

Conclusion

The NIST Cybersecurity Framework’s components—the Framework Core, Implementation Tiers, and Profiles—provide a robust foundation for managing cybersecurity risks. By understanding and implementing these components, product owners can develop a comprehensive, adaptive, and proactive cybersecurity strategy. As cyber threats continue to evolve, leveraging the CSF ensures that embedded product owners are well-equipped to protect their critical assets, maintain trust with stakeholders, and achieve long-term resilience. Feb 26th, 2024 a revised version NIST CSF 2.0 released. We will look into improvements in the upcoming blog.

Subscribe to our Blog