NIST NISTIR 8183 Rev. 1 Cybersecurity Framework Version 1.1 Manufacturing Profile
こんにちは、丸山満彦です。
NISTが3月に意見募集をしていた、NISTIR 8183 Rev. 1 Cybersecurity Framework Version 1.1 Manufacturing Profileが確定していましたね。。。
この文書は製造環境におけるCSFの実装を支援するため詳細に記述したものという感じですね。
この製造プロファイルは、
- 製造システムの現在のサイバーセキュリティ体制を改善する機会を特定する方法
- 許容可能なリスクレベルで制御環境を運用する能力の評価
- 製造システムのセキュリティを継続的に保証するためのサイバーセキュリティ計画を準備するための標準化されたアプローチ
を提供するものです。。。by Exective Summary
適用可能なサイバーセキュリティのリスク軽減策を検討し、特定し、管理するためにビジネス/ミッション目標との関係を意識する必要があるとしていますね。産業個別のビジネス/ミッション目標は網羅的には記載できないので、製造業セクターに共通のビジネス/ミッション目標を5つ設定していますね。
- Maintain Environmental Safety (環境安全の維持)
- Maintain Human Safety (人的安全の維持)
- Maintain Production Goals (生産目標の維持)
- Maintain Quality of Product (製品品質の維持)
- Maintain Sensitive Information (機密情報の維持)
● NIST - ITL
・2020.10.07 (publication) NISTIR 8183 Rev. 1 Cybersecurity Framework Version 1.1 Manufacturing Profile
Abstract
This document provides the Cybersecurity Framework (CSF) Version 1.1 implementation details developed for the manufacturing environment. The “Manufacturing Profile” of the CSF can be used as a roadmap for reducing cybersecurity risk for manufacturers that is aligned with manufacturing sector goals and industry best practices. This Manufacturing Profile provides a voluntary, risk-based approach for managing cybersecurity activities and reducing cyber risk to manufacturing systems. The Manufacturing Profile is meant to enhance but not replace current cybersecurity standards and industry guidelines that the manufacturer is embracing.
Executive Summary
This document provides the Cybersecurity Framework implementation details developed for the manufacturing environment. The “Manufacturing Profile” of the Cybersecurity Framework can be used as a roadmap for reducing cybersecurity risk for manufacturers that is aligned with manufacturing sector goals and industry best practices.
The Profile gives manufacturers:
- A method to identify opportunities for improving the current cybersecurity posture of the manufacturing system
- An evaluation of their ability to operate the control environment at their acceptable risk level
- A standardized approach to preparing the cybersecurity plan for ongoing assurance of the manufacturing system’s security
The Profile is built around the primary functional areas of the Cybersecurity Framework which enumerate the most basic functions of cybersecurity activities. The five primary functional areas are: Identify, Protect, Detect, Respond, and Recover. These primary functional areas comprise a starting point from which to develop a manufacturer-specific or sector-specific Profile at the defined risk levels of Low, Moderate and High.
This Manufacturing “Target” Profile focuses on desired cybersecurity outcomes and can be used as a roadmap to identify opportunities for improving the current cybersecurity posture of the manufacturing system. The Manufacturing Profile provides a prioritization of security activities to meet specific business/mission goals. Relevant and actionable security practices that can be implemented to support key business/mission goals are then identified.
This Manufacturing Profile provides a voluntary, risk-based approach for managing cybersecurity activities and reducing cyber risk to manufacturing systems. The Manufacturing Profile is meant to enhance but not replace current cybersecurity standards and industry guidelines that the manufacturer is embracing.
Table of Contents
Executive Summary
1. Introduction
1.1 Purpose and Scope
1.2 Audience
1.3 Document Structure
2. Overview of Manufacturing Systems
3. Overview of the Cybersecurity Framework
3.1 Framework Core
4. Manufacturing Profile Development Approach
5. Manufacturing Business/Mission Objectives
5.1 Alignment of Subcategories to Meet Mission Objectives
6. Manufacturing System Categorization and Risk Management
6.1 Categorization Process
6.2 Profile’s Hierarchical Supporting Structure
6.3 Risk Management
7. Manufacturing Profile Subcategory Guidance
References
Appendix A - Acronyms and Abbreviations
Appendix B - Glossary
1. Introduction
The Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” [1] directed the development of the voluntary Cybersecurity Framework that provides a prioritized, flexible, repeatable, performance-based, and cost-effective approach to manage cybersecurity risk [1] for those processes, information, and systems directly involved in the delivery of critical infrastructure services.
The Cybersecurity Framework is a voluntary, risk-based assemblage of industry standards and best practices designed to help organizations manage cybersecurity risks [2]. The Framework, created through collaboration between government and the private sector, uses a common language to address and manage cybersecurity risk in a cost-effective way based on business needs without imposing additional regulatory requirements.
The Manufacturing Profile (Profile) defines specific cybersecurity activities and outcomes for the protection of the manufacturing system, its components, facility, and environment. Through use of the Profile, the manufacturer can align cybersecurity activities with business requirements, risk tolerances, and resources. The Profile provides a manufacturing sector-specific approach to cybersecurity from standards, guidelines, and industry best practices.
1.1 Purpose and Scope
This document represents a “Target” Profile that focuses on the desired cybersecurity outcomes and provides an approach to the desired state of cybersecurity posture of the manufacturing system. It can be used to identify opportunities for improving a cybersecurity posture by comparing the current state with the desired (Target) state. Creating a Target Profile is Step 5 of Section 3.2: Establishing or Improving a Cybersecurity Program of the Cybersecurity Framework, Version 1.1 [2]. The Target Profile can also be used for comparison with the current state to influence process improvement priorities for the organization. The manufacturing system’s “Current” Profile represents the outcomes from the Framework Core that are currently being achieved.
The Manufacturing “Target” Profile focuses on desired cybersecurity outcomes and can be used as a guideline to identify opportunities for improving the current cybersecurity posture of the manufacturing system. The Manufacturing Profile provides a prioritization of security activities to meet specific business/mission goals. Relevant and actionable security practices that can be implemented to support key business/mission goals are then identified.
Comparison of Profiles (e.g., the Current Profile and Target Profile) may reveal gaps to be addressed to meet cybersecurity risk management objectives. Prioritization of gap mitigation is driven by the organization’s business needs and risk management processes. This risk-based approach enables an organization to gauge resource estimates (e.g., staffing, funding) to achieve cybersecurity goals in a cost-effective, prioritized manner. The following are examples of how the Target Profile may be used:
- A manufacturer may utilize the Target Profile to express cybersecurity risk management requirements to an external service provider.
- A manufacturer may express a system’s cybersecurity state through a Current Profile to report results relative to the Target Profile, or to compare with acquisition requirements.
- A critical infrastructure owner/operator, having identified an external partner upon whom that infrastructure depends, may use the Target Profile to convey required cybersecurity outcomes.
- A critical infrastructure sector may establish a baseline that can be used among its constituents as a sector-specific starting point from which to build tailored Target Profiles.
The Manufacturing Profile provides a voluntary, risk-based approach for managing cybersecurity activities and reducing cyber risk to manufacturing systems.
2. Overview of Manufacturing Systems
Industrial Control Systems (ICS), which include manufacturing systems, represent different types of control systems including supervisory control and data acquisitions (SCADA) systems, distributed control systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLCs) often found in the industrial sectors and critical infrastructures. An ICS consists of combinations of control components (e.g., electrical, mechanical, hydraulic, and pneumatic) that act together to achieve an industrial objective (e.g., manufacturing, transportation of matter or energy). ICS support the large and diverse manufacturing industrial sector and can be categorized as either process-based, discrete-based, or a combination of both [3].
Process-based manufacturing industries typically utilize two main process types:
- Continuous Manufacturing Processes. These processes run continuously, often with phases to make different grades of a product. Typical continuous manufacturing processes include fuel or steam flow in a power plant, petroleum in a refinery, and distillation in a chemical plant.
- Batch Manufacturing Processes. These processes have distinct processing steps, conducted on a quantity of material. There is a distinct start and end to a batch process with the possibility of brief steady state operations during intermediate steps. Typical batch manufacturing processes include food, beverage, and biotech manufacturing.
Discrete-based manufacturing industries typically conduct a series of operations on a product to create the distinct end product. Electronic and mechanical parts assembly and parts machining are typical examples of this type of industry. Both process-based and discrete-based industries utilize similar types of control systems, sensors, and networks. Some facilities are a hybrid of discrete and process-based manufacturing.
Additionally, to support both process-based and discrete-based manufacturing processes, manufacturers must also manage the supply chain for both technology-based inputs used in their final products (e.g. programmable logic controllers, sensors, robotics, data collection systems, and other information technologies), technology-based products used by the organization, and non-technology input products (e.g., non-IT components manufactured by third-party suppliers that are utilized to manufacture the final product).
Manufacturing industries are usually located within a confined factory or plant-centric area. Communications in manufacturing industries are typically performed using fieldbus and local area network (LAN) technologies that are reliable and high speed. Wireless networking technologies are gaining popularity in manufacturing industries. Fieldbus includes, for example, DeviceNet, Modbus, and Controller Area Network (CAN) bus.
The Manufacturing sector of the critical infrastructure community includes public and private owners and operators, along with other entities operating in the manufacturing domain. Members of the distinct critical infrastructure sector perform functions that are supported by ICS and by information technology (IT). This reliance on technology, communication, and the interconnectivity of ICS and IT has changed and expanded the potential vulnerabilities and increased potential risk to manufacturing system operations.
5. Manufacturing Business/Mission Objectives
The development of the Profile included the identification of common business/mission objectives to the manufacturing sector. These business/mission objectives provide the necessary context for identifying and managing applicable cybersecurity risk mitigation pursuits [2]. Five common business/mission objectives for the manufacturing sector were initially identified: Maintain Human Safety, Maintain Environmental Safety, Maintain Quality of Product, Maintain Production Goals, and Maintain Trade Secrets. Other business/mission objectives were identified for the manufacturing sector but not included in this initial profile. Key cybersecurity practices are identified for supporting each business/mission objective, allowing users to better prioritize actions and resources according to the user’s defined needs.
These Business/Mission Objectives Are Not Listed in Prioritized Order.
Maintain Environmental Safety
Manage cybersecurity risks that could adversely affect the environment, including both accidental and deliberate damage. Cybersecurity risk on the manufacturing system could potentially adversely affect environmental safety. Personnel should understand cybersecurity and environmental safety interdependencies.
Maintain Human Safety
Manage cybersecurity risks that could potentially impact human safety. Cybersecurity risk on the manufacturing system could potentially adversely affect human safety. Personnel should understand cybersecurity and safety interdependencies.
Maintain Production Goals
Manage cybersecurity risks that could adversely affect production goals. Cybersecurity risk on the manufacturing system, including asset damage, could potentially adversely affect production goals. Personnel should understand cybersecurity and production goal interdependencies.
Maintain Quality of Product
Manage cybersecurity risks that could adversely affect the quality of product. Protect against compromise of integrity of the manufacturing process and associated data.
Maintain Sensitive Information
Manage cybersecurity risks that could lead to the loss or compromise of the organization’s intellectual property and sensitive business data including personally identifiable information (PII).
« 米空軍は「連邦U-2ラボがU-2 Dragon LadyをKubernetesで飛行させた」と公開していますね。。。 | Main | 米国GAOは連邦航空局がアビオニクスのリスクベースのサイバーセキュリティ監視を強化するための仕組みを入れる必要があると推奨していますね。。。 »
Comments