By Ron McFarland, Ph.D.

June 1, 2019

The largest problem with open source solutions is that there is generally no vetting process for much of the open source communities in terms of cybersecurity efficacy. For example, the Equifax hack was as a result of an open source java component being used in a framework that afforded attackers to exfiltrate consumer PII. I recently read that over 1,000 downloads per day occur in the software development space for open source modules. If we think of all of the vulnerabilities that occur in the open source ‘object library’ and software component space, and organizations are downloading well over 350,000 open source objects that are compiled into code, the software framework is, from a cybersecurity perspective, weak and not sustainable.

The draft implementation guide (NISTIR 8183A) for the Cybersecurity Framework (CSF) Manufacturing Profile Low Security Level has been developed for managing cybersecurity risk for manufacturers and takes a look at this issue, in particular. More specifically, the NISTIR 8183A is aligned with manufacturing sector goals and industry best practices and other variations will probably surface for other important sectors.

As a note, the NISTIR 8183A guide provides general implementation guidance (Volume 1) and example proof-of-concept solutions demonstrating how currently available open-source and commercial off-the-shelf (COTS) products can be implemented in manufacturing environments to satisfy the requirements in the Cybersecurity Framework (CSF) Manufacturing Profile Low Security Level. Example proof-of-concept solutions with measured network, device, and operational performance impacts for a process-based manufacturing environment (Volume 2) and a discrete-based manufacturing environment (Volume 3) are included in the guide. Depending on factors like size, sophistication, risk tolerance, and threat landscape, manufacturers should make their own determinations about the breadth of the proof-of-concept solutions they may voluntarily implement.

The CSF Manufacturing Profile (NISTIR 8183) can be used as a roadmap for managing cybersecurity risk for manufacturers and is aligned with manufacturing sector goals and industry best practices. It provides a voluntary, risk-based approach for managing cybersecurity activities and cyber risk to manufacturing systems. The Manufacturing Profile is meant to complement but not replace current cybersecurity standards and industry guidelines that the manufacturer is embracing.

References

Stouffer, Keith, Zimmerman, Timothy, Tang, Cichonski, . . . Wesley. (2019, May 28). Cybersecurity Framework Manufacturing Profile Low Security Level Example Implementations Guide: Volume 1 — General Implementation Guidance. Retrieved June 1, 2019, from https://csrc.nist.gov/publications/detail/nistir/8183a/vol-1/draft

Stouffer, Keith, Zimmerman, Timothy, Tang, Cichonski, . . . Wesley. (2019, May 28). Cybersecurity Framework Manufacturing Profile Low Security Level Example Implementations Guide: Volume 2 — Process-based Manufacturing System Use Case. Retrieved June 1, 2019, from https://csrc.nist.gov/publications/detail/nistir/8183a/vol-2/draft

Stouffer, Keith, Zimmerman, Timothy, Tang, Cichonski, . . . Wesley. (2019, May 28). Cybersecurity Framework Manufacturing Profile Low Security Level Example Implementations Guide: Volume 3 — Discrete-based Manufacturing System Use Case. Retrieved June 1, 2019, from https://csrc.nist.gov/publications/detail/nistir/8183a/vol-3/draft

About the Author

Dr. Ron McFarland, CISSP, PMP is a Cyber Security Analyst at CMTC. He is a post-doctoral scholar for the University of Maryland University College. He received his doctorate from Nova Southeastern University’s School of Engineering and Computer Science and a post-doc graduate certificate in Cyber Security Technologies from the University of Maryland University College. He also holds multiple security certifications including the prestigious Certified Information Systems Security Professional (CISSP) certification and several Cisco certifications. He is a guest blogger at the Wrinkled Brain Network (https://wrinkledbrainnetwork.com/ ), a blog dedicated to Cyber Security and Computer Forensics. Dr. McFarland can be reached at his UMUC email: ronald.mcfarland@faculty.umuc.edu

Dr. Ron McFarland, CISSP, PMP guest blogger at Highervista, LLC (email: highervista@gmail.com)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store