NIST is the National Institute of Standards and Technoloy, a North American (US)-based government support research organisation looking into guiding developing technologies. It creates reports with the support of the industry, and based upon internal research, largely independent, but not entirely.
On March 4th, the organization published this draft indicating specific interest in manufacturing environments, the impact of cybersecurity and guidance coming from earlier NIST publications to provide support to manufacturing environments on how to organize and get to cybersecurity included in the operations.
While mainly promoting US economy, and taking a US-perspective, its contents and ideas - the openness of publication make it relevant for European manufacturers to consider the works and draft activities on the basis of its recommendations and considerations.
The “Manufacturing Profile” of the CSF can be used as a roadmap for reducing cybersecurity risk for manufacturers that is aligned with manufacturing sector goals and industry best practices. This Manufacturing Profile provides a 97 voluntary, risk-based approach for managing cybersecurity activities and reducing cyber risk to manufacturing systems. The Manufacturing Profile is meant to enhance but not replace current cybersecurity standards and industry guidelines that the manufacturer is embracing.
The Profile gives manufacturers:
• A method to identify opportunities for improving the current cybersecurity posture of the manufacturing system
• An evaluation of their ability to operate the control environment at their acceptable risk level
• A standardized approach to preparing the cybersecurity plan for ongoing assurance of the manufacturing system’s security
The Profile is built around the primary functional areas of the Cybersecurity Framework : Identify, Protect, Detect, Respond, and Recover, and a series of identified risks common for the manufacturing industry :
- human safety
- environmental safety
- quality of product
- quality of production goals
- trade secrets
and splits up both by means of indicating low - medium - high the risks and associated profiles, to list and to control / manage.