03.06.2022 | Bruno Blumenthal
Cyber Resilience with the ICT Minimum Standard
The Federal Office for National Economic Supply (FONES) published the ICT minimum standard in 2018. This is intended as a recommendation to help companies better protect themselves against cyberattacks. The target audience of the minimum standard is primarily operators of critical infrastructures, but the standard is intended to be applicable to all organizations. The ICT minimum standard is based on the NIST Cybersecurity Framework (NIST CSF). Both standards have gained in importance in recent years. If a few important points are taken into account during implementation, these two standards are very good tools for improving cybersecurity in an organization.
In February 2013, US President Barack Obama commissioned the National Institute of Standards and Technology (NIST) to work with relevant stakeholders to develop a voluntary framework - based on existing standards, guidelines and practices - to reduce cyber risks for critical infrastructure. The reason for this was the realization that the national and economic security of the USA depends on the reliable functioning of critical infrastructure, much of which is privately owned. In Switzerland, the situation is similar for critical infrastructures. As part of the National Strategy for the Protection of Switzerland against Cyber Risks (NCS), the Federal Office for National Economic Supply therefore received a similar mandate as NIST and subsequently created the ICT minimum standard. The BWL has taken the NIST CSF as the basis for its own standard. In terms of content, the two standards are therefore very similar.
Structure of the ICT minimum standard
Part 1 - Introduction
Part 1 of the ICT minimum standard is a general introduction to the various aspects of cybersecurity. The introduction provides a good overview of the breadth of topics in this area. It also discusses the differences between traditional IT and industrial control systems, which play a central role in many critical infrastructures.
Part 2 - Implementation
Part 2 describes the cybersecurity tasks that an organization has to perform. Here, the ICT minimum standard adopts the structure and most of the content of the NIST CSF. The tasks are assigned to the five functions Identify, Protect, Detect, Respond and Recover. The functions are each divided into several categories under which the actual tasks are described. When formulating the tasks, the authors of the ICT minimum standard decided to adapt them to the NIST CSF. The NIST CSF deliberately does not describe tasks in the form of activities, processes or technical measures. The subcategories, as they are called in the NIST CSF Core, are formulated as results or objectives (outcomes). NIST did not want to prescribe how something must be done, but only define what should be achieved. The idea was that companies are already carrying out cybersecurity activities and ultimately the only thing that matters is whether they achieve the objectives with their activities. In addition, there are already other standards that describe in detail how the objectives can be achieved. Various references to other standards are listed in the NIST CSF for each sub-category. The disadvantage of this approach is that the NIST CSF itself offers little concrete support for implementing the formulated goals. In the ICT minimum standard, it was therefore decided to deviate from this outcome-based model and to formulate specific tasks that are intended to represent more concrete and more easily applicable instructions for action. However, this means accepting that freedom of action in implementation is restricted if the decision is made to follow the wording of the standard. It should also be noted that the descriptions of the tasks in the ICT minimum standard are not very detailed and often remain rather abstract. Nevertheless, the detailed references to other standards have also been retained in the ICT minimum standard.
Part 3 - Testing
In the last part, the ICT minimum standard describes how the cybersecurity maturity of an organization can be assessed against the minimum standard. The BWL has published an assessment tool in the form of an Excel sheet for this purpose. Like the NIST in its framework, the BWL deliberately does not specify the target value of the maturity assessment in the ICT minimum standard. The standard states: “Each organization must independently define its risk appetite and thus determine the appropriate level of protection (per category). “ Unfortunately, this sentence is often ignored in practice. The average maturity level of 2.6, which the BWL uses as the target maturity level in its assessment tool, is usually simply used as a guide - although the standard explicitly points out that this is only an example.
The note in brackets “per category “ is also important. It is not advisable to aim for a homogeneous maturity across all categories when applying the ICT minimum standard or the NIST CSF, at least not in a first step. Target values should be broken down at least to the individual categories, or even better to the individual tasks or subcategories. The threat situation of the organization and the current status quo must be taken into account when defining the target values.
Caution should also be exercised before applying the maturity model too strictly. The maturity model defined in the ICT minimum standard places a strong focus on the fact that tasks must first be fully documented and approved. In practice, this can lead to a great deal of effort being invested in formalities and centralized definitions without any effect being achieved. Here too, it is important to weigh up what the relevant aspects are for the individual tasks in order to achieve sufficient maturity with the best possible effectiveness.
Implementation of the standards
The ICT minimum standard offers little assistance with regard to implementation. It is worth taking a look at the NIST CSF, which proposes a 7-step plan for achieving the described goals. This can also be applied analogously to the ICT minimum standard or other control frameworks.
- prioritize and scope
Identify the critical areas and processes of the organization that should be prioritized in terms of cybersecurity - orient
Identify the assets in the identified scope and the relevant regulatory requirements - create a Current Profile
Conduct a maturity assessment to determine the current state - conduct a Risk Assessment
identify the existing cyber risks that need to be addressed - create a Target Profile
Definition of the target state to be achieved in order to adequately address the identified risks 6 Determine, Analyze, and Prioritize Gaps
Create a roadmap to narrow the gaps between the current state and the target state - implement action plan
implement the roadmap
In practice, it can be observed that steps 4 and 5 are often neglected. However, the risk assessment (step 4) is important to ensure that the right measures are prioritized and that an effective security gain can be achieved as quickly as possible. The target profile (step 5) describes the specific target state that is to be achieved. As already mentioned, the same maturity value is often simply set for all tasks. However, this usually overburdens the organization and there is no way to prioritize the individual tasks.
When prioritizing the tasks or defining the target values, it is advisable to move along the functions from left to right. A high level of maturity in the Detect and Respond functions can hardly be achieved without having built up a minimum level of maturity in the Identify function. If the Protect function is only rudimentarily covered or if there are serious gaps in the protection, increased detection will primarily uncover the deficiencies in the protection system and not actual cyberattacks. However, this does not mean that a function should only be addressed once the previous function has been implemented with the highest level of maturity. Implementation should always be iterative.
Conclusion
The ICT minimum standard and its role model, the NIST Cybersecurity Framework, are suitable tools for improving an organization’s cyber resilience. However, there are a few pitfalls to be aware of when implementing them. In particular, the focus should not only be on the individual tasks or subcategories, but the implementation of the functions should be understood as part of a comprehensive process to reduce cyber risks. The NIST CSF offers additional support here if you consider the entire standard and not just the core with the functions and subcategories. For this reason, it is advisable to use the NIST CSF as the basis for implementing the ICT minimum standard or at least to supplement the ICT minimum standard for implementation with the missing parts from the NIST CSF.
Cybersecurity Risk Management Compliance
