This paper proposes a holistic cybersecurity online tool to support implementation activities of the “National Framework for Cybersecurity & Data Protection”, one of its contextualizations, as well as the iffteen “Essential Cybersecurity Controls”. It also aims at promoting its wide dissemination by SMEs. All the regulations, standards and national/international laws mentioned as “Informative References” for each Subcategory in the Framework Core are, in fact, made available through a web application where they can be consulted with a few clicks, guiding even less experienced users in the creation of their cybersecurity compliance projects. The research and analysis activities conducted with a systematic, global and conceptual approach - consistent with the original document - have been aimed at highlighting the substantial diferences between IT/OT cybersecurity requirements in order to increase, through a comparative analysis, the cyber resilience of national critical infrastructures. Meanwhile, since an important step towards cyberspace security is a global increase in the level of cyber risk awareness, the tool aims to be used for education and training programs too, both at the corporate and academic levels, in order to bridge the skills gap in the job market between job seekers and employers. For this purpose, some of the main reference standards used for auditing, vulnerability assessment and risk management activities have been included.
The publication of Presidential Policy Directive 21 (PPD-21/2013) [
To better address these risks, the Cybersecurity Enhancement Act of 20141 (CEA) updated the role of the National Institute of Standards and Technology (NIST) to include, identify and develop cybersecurity risk frameworks for voluntary use by critical infrastructure owners and operators. More specifically, the goal was “...to identify a prioritized, flexible, repeatable, performance-based, and cost-efective approach, including information security measures and controls that may be voluntarily adopted by owners and operators of critical infrastructure to help them identify, assess, and manage cyber risks”. This formalized NIST’s previous work developing Framework Version 1.0 under Executive Order (EO) 13636, “Improving Critical Infrastructure Cybersecurity”2 (February, 2013), and provided guidance for the future evolution of the Framework up to the release of version 1.1 (April, 2018).
Meanwhile, at national level, as illustrated in Figure 1, the joint activities of the Cyber
Intelligence and Information Security Center (CIS) at Sapienza University of Rome and the
Cyber Security National Lab (CINI), led to the publication of the “National Framework for
Cyber Security” (version 1.0, 2015) [
As per the NIST Framework, from which our National Framework is derived, the Framework Core includes an Informative References section that provides specific standards, guidelines, and practices common among critical infrastructure sectors that illustrates a method to achieve the outcomes associated with each Subcategory.
Compared to the list initially provided by NIST, the National Framework versions have been extended to national reference laws and regulations (including transposition decrees of EU directives).
2https://www.federalregister.gov/documents/2013/02/19/2013-03915/improving-critical-infrastructurecybersecurity
The use of Informative References is non-compulsory for the implementation of the National Framework. Organizations have the flexibility to mix and match Informative References as best suits their needs. They may use all, some, none, or even choose to map additional practices not included in the Informative References catalog. While this, on the one hand, represents an advantage to the application of the National Framework, on the other hand it represents a major problem for SMEs facing further dificulties as they often do not have the skills and/or economic resources necessary to cope with this complexity.
Having in mind this scenario, this work proposes a web-based tool which has three main objectives: 1. Providing personnel involved in cybersecurity activities with an automatic consultation and design tool able to support their choices based on a selection of documents that are quickly accessible and constantly updated, saving research and selection time in the mare magnum of national and international Informative References currently existing. 2. Pointing out the security requirements substantial diferences in an Operational Technology (OT) vs Information Technology (IT) environment. 3. Providing a self-learning support for training, at both corporate and academic level, in order to standardize the required cybersecurity best practises and skills.
The paper is organised as follows: in Section 2 we present some related work, while in Section 3 we describe the objectives of the proposed framework. In Section 4 we briefly describe the architecture of the current proof-of-concept and its main functionalities. Finally, Section 5 concludes this work presenting possible future extensions.
The adoption of a cybersecurity framework may represent a best practice and a way to
demonstrate that the organization adopted a well-grounded duty of care. This represents an important
step to properly face fines and the legal liability of lawsuits [
Unfortunately, nowadays this is no longer enough. The digital transformation of society (intensified by the COVID- 19 crisis) has expanded the threat landscape and is bringing about new challenges, which require adapted and innovative responses to avoid that any disruption, even those initially confined to just one entity or one sector, can have cascading efects more broadly, potentially resulting in far-reaching and long-lasting negative impacts in the delivery of services across the whole internal market, as underlined in the recent EU Proposal for NIS 2.0 (December, 2020)3.
A significant change of pace is required to rapidly increase cybersecurity awareness overall in
SMEs [
In this context, another key element is is represented by the IT/OT convergence. The advent of the 4ℎ industrial revolution, also known as Industry 4.0, introduced cyber-physical systems. Industrial Control Systems (ICS) - such as Supervisory Control and Data Acquisition (SCADA), Distributed Control Systems (DCS) and Programmable Logic Controllers (PLC) - introduced by the third industrial revolution to support and improve operational activity in the industrial sector and in critical infrastructures, traditionally “closed” to the outside world, have been connected to the Internet with unavoidable serious consequences deriving from the need to integrate the Operational Technology (OT) world, on the one hand, with that of Information Technology (IT) on the other hand. The convergence point between these two distinct worlds is a figurative “red dot” that represents the weak point of the entire system.
This new trend in industry to let IT and OT systems converge comes from the need to access
real time data and to interconnect all facilities in order to enhance productivity/production. The
convergence is driven by the need to obtain quantitative management reporting, assisted by big
data and sensor technology, artificial intelligence, physical automation, remote operations, cloud
computing, analytics [
Finally, as reported by ENISA “CyberSecurity Skills development in the EU” 4 report, published
in December 2019, the cybersecurity skills shortage, which refers to the lack of qualified
cybersecurity professionals in the labour market [
This skills shortage can be further analysed into two concurrent issues: a quantitative one and a qualitative one. The quantitative issue is related to the insuficient supply of cybersecurity professionals to meet the requirements of the job market; the qualitative one is related to the inadequacy of professional skills to meet market needs. This report focuses on the status of the cybersecurity education system and its inability to attract more students in the field of cybersecurity. It argues that many of the current issues in cybersecurity education could be ameliorated by redesigning educational and training pathways that define knowledge and skills that students should possess upon graduation and after entering the labour market.
Diferent causes might be attributed to the skills shortage 5, credited with issues in the workplace or in the education and training system. Two elements that compound the shortage can be attributed to employers or, more generally, to the labour market: 1. The high expectations that employers have about the skill level of candidates that the current labour market can ofer.
4https://www.enisa.europa.eu/topics/cybersecurity-education/european-cybersecurity-skills-framework 5https://www.newamerica.org/cybersecurity-initiative/reports/cybersecurity-workforce-development/ The cybersecurity job market is relatively immature and very dynamic, and the job specifications are highly dependent on the organisation size and sector. ENISA report emphasizes that “...Small and Medium-sized enterprises not specialised in job security tend to prefer generalist IT staf with some understanding of cybersecurity, whereas larger firms and firms specialised in cybersecurity have need of specialised staf focused on one of the sub-disciplines of cybersecurity" .
Concerning tools availability, to the best of the authors’ knowledge, there is no tool featuring
the same capabilities as the one proposed in this paper. While several automated tools are
available to support technical auditing tasks (i.e., information gathering, penetration, exploitation,
forensics [
As anticipated in Section 1, we present in this section the Cyber Security Framework Comparison Tool (abbreviated with CSFCTool in the following). We first illustrate the implementation of the three main project objectives. Then, we briefly describe the architecture of the tool and some of its main functions.
The CSFCTool is based on the assumption that the aforementioned National Framework (in all its versions), for each identified Subcategory, proposes a list of corresponding Informative References (see Figure 2), e.g., a list of specific national/international standards, regulations or laws to refer to in order to achieve the outcomes associated with the selected Subcategory.
The adoption of cybersecurity standards is often a technical challenge for SMEs, where the staf involved in cybersecurity assessment activities has to face daily overlapping of roles, shortage of time, and training gaps or inadequate skills.
The first objective of CSFCTool can be reached thanks to the adoption of four phases, detailed below, which correspond to as many steps within the security assessment process. • Step 1 - Automate security assessment activities
Through direct access to the consultation of all national/international standards, regulations and law articles listed in correspondence with each selected Subcategory, the CSFCTool allows to automate the use of the National Framework for Cybersecurity and Data Protection (FNCS&DP), one of its contextualization or fifteen Essential Cybersecurity Controls (CEC) in a simple, clear and fast way. • Step 2 - Verify regulatory compliance
By creating an individual Portfolio, the CSFCTool allows each user to access the various projects created, verify and note their regulatory compliance with the aid of an interactive NOTES section associated with each Subcategory of a selected project. • Step 3 - Plan and manage all projects in a unique personal Portfolio Using the CSFCTool users can quickly create projects with diferent maturity levels or profiles , collect them in their personal PORTFOLIO and manage them intelligently. In this way they will be able to plan and control the organization’s continuous improvement in an easy way, always having under control the progress of all transition processes. • Step 4 - Save hours of design
Within the CSFCTool it is possible to access all national and international references related to the use of the National Framework and to understand their time allocation (and/or updates) in a few clicks. Staf will thus be able to save hours of work lost in collecting, selecting and understanding the rules to be used. For each reference, in fact, there is also a quick self-learning tutorial that can be easily consulted. Furthermore, all attached and linked documents are made available in downloadable format.
The second main objective of CSFCTtool is to highlight the application diferences between OT and IT cybersecurity requirements using the so-called CIA TRIAD paradigm based on Confidentiality, Integrity and Availability (as illustrated in Figure 3), to arise security of critical infrastructures by increasing the level of awareness of all personnel involved in their operations.
The process consists in a cross-mapping mechanism based on the use of NIST SP 800 − 82
rev.2 “Guide to Industrial Control Systems (ICS) Security” [
from NIST SP 800 − 53 Appendix F that have been allocated to the initial security control baselines (i.e., Low, Moderate, and High) along with indications of ICS Supplemental Guidance and ICS tailoring. Controls and control enhancements for which there is ICS Supplemental Guidance are bolded. If the control baselines are supplemented by the addition of a control to the baseline, the control or control enhancement is underlined. If a control or control enhancement is removed from the baseline, the control or control enhancement is struck out.
Example in Figure 4, compares initial control baseline values for NIST SP 800− 53 rev.4 (above) vs NIST SP 800 − 8 rev.2 overlay (below). It is highlighted how an ICS Supplemental Guidance was added to Control Enhancement 1 of AU-4 (bolded). In addition, Control Enhancement 1 of AU-4 was added to the Low, Moderate and High baselines (underlined).
Helping to bridge the skills gap is the third key objective of the CSFCTool project. To support the training and self-learning activities two strictly interconnected actions have been implemented: • Extension of standards, regulations and laws list
As shown in Figure 5, the Informative References of the FNCS & DP have been extended by adding eight new documents which are briefly explained in Appendix A. • Creation of eight educational sections
Starting from the complete Informative Reference list, up to now, eight sections have been created (as shown in Figure 6), which present all documents listed in Figure 5. Each section includes: 1. A landing page with a brief introductory summary and links to all related standards, regulations or laws. 2. A timeline that allows to contextualize all related documents over time and national vs international panorama. 3. A subsection for each standard/regulation or law previously summarized. Each subsection proposes synthetic content aimed at self-orientation and/or self-learning (which can also be used for face-to-face or online training) and, in compliance with the original document, allows interactive access to all cited crossed contents.
CSFCTool is built as a standard web application. Its front-end is developed in HTML and CSS, taking advantage of the Bootstrap8 framework to improve the look and feel of the user interface. The server-side code is written using the PHP programming language and the back-end data storage is handled via a MySQL9 server using MySQL Workbench, an Oracle unified visual tool that provides data modeling, SQL development, server configuration, user administration and backup. The current implementation is still a proof-of-concept built to demonstrate the potential of such an application. Some refactoring is needed to go online, but the current proof-of-concept version provides a view of all the functions that have been designed and implemented.
A visual sitemap of CSFCTool showing the full website structure is presented in Figure 7. The eight educational sections are available in the HOME page. From the menu bar it is possible to reach the services (SERVIZI) and other resources (RISORSE).
Figure 8 shows a small portion of the back-end relational database, presenting the tables (Function, Category, Subcategory, Ref ) which allow to map all Subcategories with their corresponding Informative References as discussed in Section 3.1. Thanks to the data stored in these tables, the users can access all Informative References, and find all the details presented in a tabular form. This allows them to have a direct access to specific articles without having to browse the whole document.
In order to use the available services, the users must register to the platform providing their name, surname and a valid e-mail address. After authentication a user can: 1. Consult all articles from regulations, standards and laws listed for each Subcategory in the Informative References section, starting from FNCS & DP, CEC or an existing contextualization (e.g., GDPR). 2. Create a new project, e.g., select Subcategories they might decide to implement within their organization starting from FNCS & DP, CEC or from a new contextualization (consultation function for Informative References is still available to support choices). 3. Visualize all projects in a personal PORTFOLIO area. All diferent projects created and stored are here available in order to be used synergistically, e.g., to monitor continuous improvement when moving from the current to the target profile.
After selecting the starting point users are presented a page with the corresponding Functions, Categories, Subcategories and Informative References to be selected by checking boxes in a guided procedure.
Figure 9 shows the four steps of this procedure, with the first one highlighted in blue. All projects are reachable from the section PORTFOLIO. Opening a created project makes available two sections. The first one presents a summary of the selected Subcategories while the second, for each Subcategory, provides the user with a section NOTE where to add information obtained from the normative or any other type of comment useful for its implementation. Currently, only textual comments can be added, but the extension to other types of documents, e.g., pdf ifles or images, can easily be added.
This paper presented the main features of CSFTool, a new web-based application with the objective of raising awareness about IT/OT cybersecurity and empowering end users (in particular SMEs) with actionable knowledge on standards, regulations and laws related to protection of critical infrastructure.
We have discussed the main rationale behind the project, as well as provided information about both the design and the implementation of a proof-of-concept prototype of the overall system.
As part of our future work, we plan to refine the current implementation in order to arrive at a fully fledged product. The goal is to enable companies to leverage such a product for implementing efective strategies aimed at increasing the overall resilience level of their critical infrastructures.
A second line of exploitation concerns the use of the CSFCTool as an efective means for carrying out education and training campaigns, both at the academic level and as part of dedicated professional training initiatives tailored to private companies.
Finally, we also plan to integrate the CSFCTool with state-of-the-art monitoring frameworks like, e.g., the well-known ELK (Elasticsearch, Logstash and Kibana)10 stack. Namely, our tool might become an ELK component tailored to analyzing and catalyzing information about a company’s IT/OT cybersecurity compliance level, as well as optimizing IT/OT data management processes for the long term.
The documents listed in Figure 5 are briefly described in the following.
• NIST SP 800-53 Rev.5 Revision of foundational NIST SP 800-53 rev.4, this publication
represents a multi-year efort to develop the next generation of security and privacy
controls that will be needed "...to develop and make available to a broad base of public and
private sector organizations a comprehensive set of safeguarding measures for all types of
computing platforms, including general purpose computing systems, cyber-physical systems,
cloud-based systems, mobile devices, Internet of Things (IoT) devices, weapons systems, space
systems, communications systems, environmental control systems, super computers, and
industrial control systems". It includes changes to make these controls more usable by
diverse consumer groups (as enterprises conducting mission and business functions;
engineering organizations developing information systems, IoT devices, and
systems-ofsystems; and industry partners building system components, products, and services).
• NIST SP 800-82 Rev. 2 which provides the overlay tool for ICS described in CSFCTool
objectives of Section 3.2.
• ISO 19011:2018 "Guidelines for auditing management systems" [