This first step in the process to develop a Cybersecurity Framework, the RFI requests ideas, recommendations and other input from critical infrastructure owners and operators, federal agencies, state and local governments, standards-setting organizations, and other interested parties about risk management practices; use of frameworks, standards, guidelines and best practices; and specific industry practices. Specific questions are included in the RFI.
President Obama called for the framework to reduce cyber risks to critical infrastructure vital to the nation's economy, security and daily life. That includes power plants and financial, transportation and communications systems, as detailed in his February 12 executive order on "Improving Critical Infrastructure Cybersecurity."
Comments are due by 5 p.m. ET, Monday, April 8, 2013. Stakeholder meetings are also a part of the framework process, and the first such meeting will be held April 3, 2013, at the NIST headquarters in Gaithersburg, Md.
Vulnerabilities in IT systems that underpin critical infrastructure like the energy grid, water supply facilities, oil and gas systems and transportation have skyrocketed 600% since 2010, according to a recent report from NSS Labs – a concerning state of affairs that has added more wind to the public rhetoric surrounding the potential for a major cyber-terrorist attack.
SCADA systems in particular are at risk. These industrial control systems are often aging and unpatched, offering an easy target for a hacker bent on disrupting critical enterprise and governmental systems.
“With SCADA software being primarily responsible for critical operations and national infrastructures, an attack of this nature could not only result in the loss of data, but can also cause damage to physical assets and in certain scenarios, the loss of life,” said Ross Brewer, vice president and managing director International Markets at LogRhythm, in a recent email to Infosecurity. “As such it’s no surprise that arguably most notorious cyber attacks of the past couple of years – such as the Stuxnet and Flame viruses – have been SCADA breaches.”