Security Technology Executive

SEP-OCT 2018

Issue link:

Contents of this Issue


Page 31 of 59

32 SECURIT Y TECHNOLOGY E XECUTIVE • September/October 2018 • www. T wo cybersecurity compli- ance and conformance programs - Underwrit - ers Laboratory (UL) 2090 Cybersecurity Assurance Program and the National Institute of Standards and Technology (NIST) Cybersecurity Frame- work (CSF) lead the industry in providing guidelines and technical baselines that reduce the risk of cybersecurity breaches and attacks. Which one is more suitable for your needs? As technology and network connect- ed devices reach 20.4 billion devices by 2020 with predictions of cyber breaches costing six trillion dollars in 2021, how do we protect ourselves against self - imposed cyber-Armageddon? The one size fits all approach does not work with cybersecurity. One must be able to accu- rately assess and evaluate the risk level of the deployment environment where the product will be used. The Answer Lies in Product Testing and Evaluation. Over time we have seen proof that self- evaluation, self -governance, and self - certification have led to foundational cybersecurity failures – the industry has concluded that very few manufacturers are equipped and staffed appropriately to implement cybersecurity programs, not to mention technical countermeasures that uniformly protect their product lines against cyber threats. So how do we protect our agencies and organizations Cybersecurity Assessments: An Overview UL and NIST provide options for system manufacturers and Integrators, so which should you choose? By Darnell Washing ton, CI SSP SECURIT Y STANDARDS the CAP program is that it is an Ameri- can National Standards Institute (ANSI) certified program which is recognized throughout the world. NIST Standards Next, let's take a look at the NIST Cyber- security assessment standards. It has a core framework CSF, and an expanded set of controls that are tailored to achieve specific cybersecurity outcomes and ref- erences examples of guidance to achieve those outcomes. The larger set of controls, the NIST Secu- rity and Privacy Controls for Information Systems and Organizations, encompasses a comprehensive assessment methodology that can apply to specific types of organi- zations, manufacturers, industrial control systems, defense and US Federal contrac- tor protection of confidential and unclas- sified information, etc. Which One Do You Choose? Having performed security assessments using both UL and NIST cybersecurity standards and methodologies, I have concluded that both have their purpose, however, after personally performing the NIST Cybersecurity Framework and its expanded testing procedures I have found that they are much more complete in determining the security baselines an organization should choose to address rel- evant cybersecurity requirements. The basis for my conclusion is that the NIST CSF is further broken down into categories comprised of four elements: functions, categories, subcategories, and informative references that are better for security professionals to follow during the assessment and evaluation of products and technologies. A description of each is listed below: • Functions: There are five functions used to organize cybersecurity efforts at the most basic level: identity, protect, detect, respond, and recover. Together these five functions form a top-level approach in securing systems and responding to threats. Think of them as your basic incident management tasks. • Categories: Each function contains cat- egories used to identify specific tasks or challenges within it. For example, the against ourselves? The answer is third- party assessments. Now that the industry has recognized that formalized assessment procedures are both necessary and required, through U.S. Executive Orders and Presidential Direc- tives, critical infrastructure protection sec- tors are finally confronted with mandated regulatory requirements to adopt cyber- security standards and rigorous testing methods and processes. These regulated and testing models and processes have become standardized to assert that security policies and prac- tices are put in place to protect network- connected products, solutions, and devices that are delivered to the market. Both UL and NIST have very broad and distinct offerings, - we will detail each of them. UL Standards First, let's examine the UL 2090 Cybersecu- rity Assurance Program (CAP). In the prod- uct manufacturing arena, UL gained its industry recognition for developing stan- dards for life safety products worldwide. It makes great sense with the long reputation of UL that they offer a cybersecurity assur- ance program. The UL program provides very strong assurances that supply chain processes are validated and defined as part of its intake workshop. The CAP frame- work guides the manufacturer or vendor through a variety of phases that move into a product evaluation phase that tests the products against a variety of known secu- rity vulnerabilities and susceptibilities. One of the very important benefits of

Articles in this issue

Links on this page

Archives of this issue

view archives of Security Technology Executive - SEP-OCT 2018