Introduction
On February 26th, 2024, the National Institute of Standards and Technology (NIST) unveiled their new Cybersecurity Framework (CSF) 2.0 Reference tool. This was the most significant upgrade to the framework since it was released in 2014. The original NIST CSF was developed in response to increasing cybersecurity threats—including high-profile cyber incidents like the Target data breach and Edward Snowden leaks in 2013—and concerns about critical infrastructure.
The NIST CSF was the product of industry and government collaboration, aimed at addressing the increasing cybersecurity challenges faced by organizations across critical infrastructure sectors. NIST 2.0 seeks to take lessons learned from the original framework and apply them to a wider range of organizations. The updated framework is intended to better reflect the evolving threat landscape and provide a flexible and effective approach to managing cybersecurity risks in today’s dynamic and interconnected digital environment.
The NIST CSF remains especially important for organizations in the critical infrastructure sector, such as utilities. As the sector continues to undergo a digital transformation, it is increasingly dependent on connected systems that monitor stations, evaluate outputs and/or analyze data to support more efficient operations and improved service. This increased reliance on an internet-connected ecosystem increases the opportunity for malicious actors to introduce vulnerabilities into an organization’s operational technology (OT) and information technology (IT) systems and networks.
By following NIST guidelines, utilities providers can manage and mitigate risks using in-house expertise, partners and commercially available products. The findings from assessing your organization’s cybersecurity posture against the framework can serve as a starting point in better mitigating cybersecurity risks for your specific production environment. This is especially important for the utilities sector, as they form the backbone of Canada’s critical infrastructure. Disruptions can have profound and widespread consequences, impacting public health, transportation and the economy.
What’s changed in NIST 2.0
The original framework was developed to bolster the cybersecurity and resilience of the nation’s critical infrastructure; however, while its principles and guidelines were intended to be universally applicable and not confined to any one sector, it still felt too complex for many smaller organizations.
NIST 2.0 seeks to address early feedback and to take this universal applicability a step further, updating the guidelines to be more inclusive of all organization types. The updates also seek to ensure that organizations can take steps to address cybersecurity challenges which have emerged or escalated over the past decade, including cloud, mobile and artificial intelligence system threats.
While NIST 2.0 is the first significant update in the framework since its inception, the most important modifications are structural. For those already familiar with the NIST CSF, the biggest difference will be the addition of a new ‘Govern’ function. It is designed to aid organizations in crafting a cybersecurity strategy that is in alignment with their overarching mission and risk tolerance. Although most controls within the new ‘Govern’ function existed in previous versions of NIST, they were previously distributed among the five other functions: Identify, Protect, Detect, Respond and Recover.
The introduction of a new function by NIST underscores the need for a foundational layer that extends beyond mere technical and operational control. This move by NIST sends a clear message: cybersecurity transcends the realm of IT and is a crucial component of an organization’s governance and strategic planning.
Before delving into what NIST 2.0 is, we must establish what it is not: NIST 2.0 is not a set of laws. The NIST CSF was designed as a framework to be used by a wide variety of organizations with any degree of risk or sophistication. This includes private companies, federal government contractors and public organizations. That said, NIST compliance isn’t easy and while it is a great standard, it can be difficult to justify in situations where there are 50 or fewer employees. For these organizations, the Canadian Centre for Cyber Security’s baseline cyber security controls for small and medium organizations would be more appropriate.
NIST is also not a regulatory agency, so the adoption of the framework is generally voluntary; however, certain organizations (mostly in the U.S.) are required to use it. Executive Order 13800 made the NIST framework mandatory for U.S. federal government agencies and some federal and state governments and insurance organizations have since also made the NIST framework mandatory internally.
NIST 2.0 can help you develop an objective, risk-aware security roadmap which helps you understand how to spend your best cybersecurity dollar. It provides organizations with risk-informed priority, forcing them to evaluate their current cybersecurity posture against what is recommended.
Organizations who aim to be compliant must map out what measures are currently in place, and which risks they are most exposed to. In doing so, organizations should take a risk-informed decision about what measures to put in place next. NIST 2.0 is not a checklist of measures to put in place, but rather a methodology, using tools like checklists to protect your organization through an objective lens.
Constructing and sustaining a comprehensive program that encompasses the broad spectrum of information security areas is challenging due to various factors, including evolving threats, resource constraints and technological complexities. Organizations often rely on integrated security platforms and security partners to assist them in navigating these challenges effectively and ensuring the robustness of their cybersecurity defences. These platforms and partnerships facilitate the alignment of people, processes and tools, enabling organizations to establish and maintain a resilient cybersecurity posture tailored to their specific needs and circumstances.
How CIRA Cybersecurity Services can help you with NIST 2.0 compliance
CIRA’s cybersecurity services are dedicated to helping accelerate improved cyber resilience in Canadian organizations with our cybersecurity solutions. We offer protection in areas critical to keeping the utilities sector online.
As a leading authority in Canada’s networking realm, CIRA has proudly managed the .CA domain, serving Canadians with trust for over two decades. We are dedicated to upholding the stability and security of Canada’s internet infrastructure by providing invaluable insights into cybersecurity. Our suite of services are tailored to align with NIST 2.0 controls, bolstering your organization’s cybersecurity resilience. Explore the accompanying graphic and definitions below to discover how our solutions can streamline your path to NIST 2.0 compliance.
By leveraging our services, organizations can accelerate and streamline various sub-categories, ultimately enhancing their overall cybersecurity posture and achieving better outcomes.
PR.AT – Awareness and Training
New definition: The organization’s personnel and third-parties are provided cybersecurity awareness and training to perform their cybersecurity-related tasks consistent with relevant policies, procedures, and agreements.
CIRA’s Cybersecurity Awareness Training is designed to empower your organization’s personnel with the knowledge and skills necessary to protect against cybersecurity threats. Our comprehensive training platform includes a variety of courses and simulations that cover a wide range of cybersecurity topics. Each user is assigned a personal risk score, which is updated based on their progress and performance in the courses and simulations. This allows you to track the effectiveness of the training and identify areas where additional training may be needed. Our platform also includes Canadian content in both English and French, ensuring that all members of your organization can participate in the training.
DE.AE – Adverse event awareness
Definition: Adverse cybersecurity events are analyzed to find and characterize possible attacks and compromises, unauthorized and inappropriate activities, protection deficiencies and other activity with a potentially negative impact on cybersecurity.
CIRA’s DNS Firewall and Anycast DNS solutions can provide your organization’s Security Operations Command Center (SOCC) with valuable threat detection capabilities. Anycast DNS can detect incidents such as DDoS attacks by monitoring server traffic. If a server is overwhelmed with traffic, it could indicate a potential attack, triggering alerts for further investigation. Similarly, the DNS Firewall can alert your IT Security teams to potential incidents by monitoring block information. This allows your team to quickly respond when attacks like botnets are targeting your networks.
ID.RA – Incident Analysis
New Definition: Processes for receiving, analyzing and responding to vulnerability disclosures are established (formerly RS.AN-5).
CIRA’s DNS Firewall and Anycast DNS solutions provide valuable insights that can aid in incident analysis. By consulting historical data on the platform, your IT security teams can analyze the nature of DNS-based attacks targeting your organization. This information can be used to identify patterns, uncover vulnerabilities and develop strategies to prevent future attacks.
RS.MI – Incident Mitigation
New Definition: Activities are performed to prevent expansion of an event, mitigate its effects and resolve the incident.
CIRA’s cybersecurity solutions are designed to not only detect incidents but also to mitigate their impact. Our DNS Firewall and Anycast DNS solutions can help prevent the expansion of an event by blocking malicious traffic and absorbing DDoS attacks. This allows your IT security teams to focus on ensuring the integrity of your other systems and minimizing the impact of the incident on your organization.
How to get started with NIST 2.0 Compliance
As previously mentioned, while NIST 2.0 is an excellent cybersecurity standard, compliance requires a heavy organizational lift and is not best suited to most organizations with fewer than 50 employees. If you are responsible for the cybersecurity of a smaller organization, we recommend you consider the Canadian Centre for Cyber Security’s Baseline cyber security controls for small and medium organizations. For organizations who believe NIST 2.0 compliance is right for them, follow the steps below:
Assess
The first—and most important—step you will take on your journey to NIST 2.0 compliance is assessing your organization’s current cybersecurity posture. Take the NIST 2.0 framework and assess your organization’s progress towards it.
You will not only assess the status of the specific controls in place in your organization, but also the risk probability and severity in the event of an incident. In doing so, you will create a high-level risk inventory so that stakeholders in your organization fully understand what you are up against. Use the NIST Cybersecurity Framework, the NIST Special Publication 800-30, Revision 1: Guide for Conducting Risk Assessments or ISO 31000:2018 as references.
Prioritize
Now that you have created an inventory of your assets, cybersecurity controls and risks, you want to effectively prioritize the top risks you are going to tackle.
One of the most important considerations in this step is to ensure that you have consulted all the right people. This includes IT and security but also executive leadership, finance, risk managers and more. To determine which controls to tackle next, follow these steps:
- Risk ranking: evaluate each risk from your risk inventory based on its potential impact and likelihood of occurrence. Make sure to prioritize the risks which could cause the most significant damage to your organization or are most likely to occur.
- Align with business objectives: this is an important step which many organizations lose sight of. You want to ensure that your risk mitigation efforts align with your business’ overall objectives, prioritizing risks that could hinder your strategic goals.
- Resource allocation: carefully and realistically consider your organization’s resources. You will have to prioritize risks that you have the resources to adequately address.
- Stakeholder input: involve relevant stakeholders in the prioritization process. Your stakeholder’s diverse perspectives can help provide you with a more holistic view of organizational risks.
Prioritization in cybersecurity risk management is crucial because there are never enough resources to do everything—so maximizing the effectiveness of every dollar spent minimizes risk. Without prioritization, organizations may spread their resources too thinly, leaving them vulnerable to the most damaging risks.
Make sure to regularly revisit your risk prioritization. The cybersecurity landscape is constantly evolving, and what may not have been a significant risk yesterday could be a major threat today. Regular reassessments ensure that your organization stays ahead of potential threats.
Implement
After you’ve prioritized your cybersecurity controls, the next phase is implementation. This is where your team will start to put the controls into action, based on the order you’ve established during the prioritization process.
Some controls might be straightforward enough for your team to handle internally. For instance, you might be able to set up password policies or other basic security measures on your own.
However, other controls might be more complex and require specialized knowledge or resources. In these cases, you’ll likely need to seek assistance from external partners. These could be vendors who provide specific cybersecurity services, or consultants who can guide you through the process of implementing more advanced controls.
As you go through this process, it’s important to remember that implementation is not a one-time event, but an ongoing activity. Cybersecurity is a dynamic field, and new threats emerge all the time. Therefore, you’ll need to regularly review and update your controls to ensure they remain effective.
Remember, implementation is not just about technology—it’s also about people. Your staff need to understand the processes and tools which are relevant to them and how to use them. This might involve training sessions or workshops to ensure everyone knows what they need to do.
Finally, keep in mind that documentation is a crucial part of the implementation process. You’ll need to keep records of what controls you’ve implemented, when, and how. This will be invaluable when it comes time to audit your compliance with the NIST 2.0 standard.
Conclusion
Achieving NIST 2.0 compliance is a rigorous but rewarding process that involves a comprehensive assessment of your organization’s cybersecurity posture, effective prioritization of risks, and strategic implementation of controls.
This is particularly pertinent to the utilities sector, where the protection of critical infrastructure is paramount. While NIST 2.0 may not be suitable for smaller organizations, it offers a robust framework for larger entities, including those in the utilities sector, seeking to enhance their cybersecurity. Remember, the journey doesn’t end with implementation. The dynamic nature of cybersecurity necessitates regular reassessments and adjustments to stay ahead of potential threats. Whether you’re handling controls internally or seeking external assistance for more complex measures, maintaining a proactive and informed approach is key to successful compliance in the utilities sector.
Eric is a Product Marketing Manager with CIRA Cybersecurity Services. His background in digital marketing has led him to appreciate the vital role data plays for Canadian organizations and individuals, and the need to keep it safe. Eric has an MBA in International Business from Sup de Co La Rochelle.
