DNX CSF Blog 2 : Why NIST CSF Is Hard To Automate.

'Why NIST CSF Is Hard To Automate' is the second Blog in our DNX CSF series and is written by DeNexus' Director of OT Cybersecurity, Donovan Tindill. 

As referenced in the first blog post of the DNX Cyber Security Framework series, although NIST Cyber Security Framework (CSF) is widely adopted globally as a reference for defining functional cybersecurity, it does not include a simple set of questions that can quickly determine a level of conformance. Also, most frameworks do not consider automated versus manual assessments. 

The start of any cybersecurity program is an assessment of strengths and weaknesses. From DeNexus’ experience, most industrial asset owners execute cybersecurity vulnerability assessment (CSVA) every 1-3 years. A consultant or other facilitator comes to their industrial facility to document their cybersecurity posture, findings, and risks for that point in time. This is where frameworks like the NIST (CSF) are used to ensure all functions and segments of the cybersecurity program are evaluated. Most of the methods used for data collection are manual or rely on facilitated interviews of multiple facility personnel. Although effective, this type of CSVA and interview process has its own challenges:

• • • Assessment results are accurate for a point in time; but reduces over time.
    • Responses provided by multiple staff may vary. This is evidence of bias, subjectivity, or assumptions in cybersecurity questioning. We might not be asking the right person.
    • The assessment process consumes valuable time from existing staff. The more detailed the assessment, the more staff time is needed to support it.
    • Data may exist in cybersecurity tools, but it requires time of staff to extract it, and experts to analyze.
    • Decision makers want timely information, but it is not financially viable to perform this type of assessment monthly/weekly.

At DeNexus, we identified that traditional cyber assessment techniques cannot provide unbiased, timely, and accurate information without significant effort or cost. Our first priority is to use Inside-data to feed data into DeRISK, our flagship Cyber Risk Quantification and Management platform, beginning with our integrations with leading OT cybersecurity telemetry vendors. For our customers, first we leverage the information they already have, and second we automate its collection, analysis, and use in our models.

Here is what we discovered trying to automate all 108 controls in the NIST CSF:

• • • Using just passive OT monitoring tools (the least intrusive way to get automated OT data), at best ~23% of NIST CSF controls are supported with passive data. Of this, only ~13% of NIST CSF controls are supported with adequate or complete data (e.g., baseline of network communications). For the other 10%, it is either incomplete or suspect (e.g., count of cyber assets with vulnerabilities; count of malware detections).
    • Expanding to include many other cybersecurity solutions found in ICS/OT environments (e.g. antivirus, firewalls, SIEM, Active Directory, remote access, backups) less than half of NIST CSF controls can be supported by data-driven evidence, and still many need to be backed by documentation to be fully verified.

We realized that NIST CSF was not developed with ‘data-driven evidence’ in mind. Actually, there were no cybersecurity standards and frameworks built today that prioritize requirements or indicators that can be driven by data. Not until we developed and released DNX CSF.

Having a data-driven framework is one of the reasons that lead to DNX CSF. Many organizations find 108 controls in NIST CSF to be overwhelming to assess, and our simplified DNX CSF helps to accelerate the assessment process in the areas of cyber risk that really matter.

Click here to learn more about the DNX CSF, and here to learn more about DeRISK, the only evidence-based, data-driven platform that gives OT industrial stakeholders visibility to a facility’s Exposure to cyber events, calculations of Probability, Financial Impact / Loss of potential cyber events, and delivers the ROI-based Mitigation Options available to reduce cyber risk over time.

Stay tuned for the next Blog in the DNX CSF series.  

                            ______________________________________________________________________________

Find out more about DeRISK, a comprehensive Cyber Risk Quantification and Management platform!

Let Us Tell You More With A No-Pitch Consultation & Access The DeRISK Platform!