The NIST Cyber Security Framework (NIST-CSF) was born out of the need for a standardised approach to cyber security and has evolved into a versatile tool used globally. In this blog, we explore a high-level overview of the NIST-CSF, including its origins and structure. We’ll also explore its application in the Australian critical infrastructure landscape, serving as a guide to fortify operational technology (OT) security against evolving threats. 

So, what is the NIST-CSF? 

The National Institute of Standards and Technology Cyber Security Framework (NIST-CSF) is a framework that encompasses the general but thorough area of IT to better manage, reduce, and mitigate cyber security risks based on existing standards, guidelines, and practices for organisations to promote the protection of critical infrastructure. It was also designed to foster better communication on the cyber risks and security amongst internal and external stakeholders. This framework helps to prioritise an approach that is flexible and repeatable for owners and operators of infrastructure to better manage cyber-related risks.  

NIST-CSF background 

The process of improving NIST-CSF started in 2013 and the publication of version 1.0 was released a year later in 2014. This development of the CSF was to introduce sharing of cyber security threat information and to expand on approaches to reduce risks for infrastructure supported through a criteria during development to ensure that it includes identifying security standards, providing a realistic approach to for organisations to meet completion, and help system owners and operators of risk management to achieve security.  

Within the context of operational technology (OT), Special Publication 800-82 provides a comprehensive exploration of Industrial Control Systems (ICS). This publication has undergone three revisions, with the ongoing development of revision three aimed at expanding its scope to encompass a broader range of cyber-physical technology, primarily within the broader realm of OT, as opposed to focusing on the subset of ICS-based technologies. 

Structure of the framework 

The general NIST-CSF framework is split into three main components: Core, Tiers, and Profiles. These components are designed to complement each other and provide a comprehensive structure for organisations to better understand the framework in a variety of contexts. 

The Core component consists of three parts: Functions, Categories, and Subcategories. Functions are further categorised into five parts (identify, protect, detect, respond, and recover), which are applicable to general risk management. The framework core is designed with the mind of enabling multi-disciplinary teams to communicate by using simplistic and non-technical language. 

The “Tiers” are distinguished by numbers ranging from 1 to 4:  

• Tier 1: Partial 
• Tier 2: Risk Informed 
• Tier 3: Repeatable, and  
• Tier 4: Adaptive.  

These tier levels indicates the degree to which the organisation’s cyber security risk management exhibits those characteristics that are defined within the framework.  

Lastly, “Profiles” are unique to each organisation as they include organisational requirements, objectives, risk appetites, and resources. Profiles are used to identify opportunities to improve cyber security posture, analyse the gaps, and optimise the framework to be adapted within the organisation. 

In August 2023 NIST released a public draft of its NIST Cyber Security Framework 2.0, inviting feedback until 4 November 2023. One of the biggest changes to the framework is that a sixth function has been added: govern. This additional function covers how an organisation can make and execute internal decisions to support its cyber security strategy. This revision emphasises that cyber security is a major source of enterprise risk and a consideration for senior leadership.

Extending NIST-CSF to operational technology 

To effectively apply the NIST-CSF guidelines to OT, NIST has undertaken the development of Special Publication 800-82r3. This publication is currently in progress, with the aim of expanding its reach to encompass a wide array of industrialised systems within the OT environments. These systems include programmable logic controllers (PLCs), distributed control systems (DCS), and various other digitalised equipment and instrumentation that interface directly with the physical world. By incorporating these advancements, NIST seeks to provide comprehensive guidance for the secure and efficient integration of OT systems into the evolving technological landscape. 

NIST-CSF use within Australia 

Australian industries, such as health and water, have applied NIST-CSF as a standard to maintain their technology assets as stated above. Added on are power transmission providers and generators, including Victoria’s Government to implement NIST-CSF for their “Security of Water Infrastructure Control Systems” document to provide guidance. The Department of Home Affairs have also been consulted by Water Services Association of Australia (WSAA) in collaboration with Australian water utilities in their water sector consultation submission to CI SONS, that the NIST-CSF is a supportive framework to assist in identifying security risks and vulnerabilities for critical environments. 

Need guidance on selecting the right framework for your organisation? 

Selecting the right framework is an important first step to ensuring a secure environment, but with so many options on the market, it can prove a daunting task. As a trusted provider of comprehensive cyber security solutions, Secolve offers expertise and guidance needed to navigate the intricacies of these frameworks. We understand the unique challenges faced by OT organisations of all sizes and can assist you in selecting, implementing, and optimising the right framework for your specific needs. 

Contact us today to learn more about how we can empower your organisation to navigate the ever-evolving cyber landscape and stay one step ahead of potential threats.