Friday, April 3, 2009

Cyber Security Standards

There is an interesting blog post by Joe Weiss over on ControlGlobal.com about what cyber security legislation should look like. Joe is one of the few people that well known for his interest and expertise in control system security and recently testified before the Senate Committee on Commerce, Science, and Transportation about control system security issues. Joe recommends that regulatory scheme for control system security should include “NIST SP800-53 or a close derivative”. Unfortunately, I am not familiar with the details of this standard (though I suppose that will probably change in the near future). What I do know is that the first real attempt at a federally regulated security program for private industry where electronic control systems are widely used will not include this standard. Risk-Based Performance Standards DHS, as all of the readers of this blog are aware, is prohibited from requiring any ‘standard’ in their review of Site Security Plans. They can only used ‘risk-based performance standards’ to evaluate how well each high-risk chemical facility is doing at reducing or controlling the risk at their specific facility. The Risk-Based Performance Standards Guidance (Guidance) document that is soon (hopefully) to be published by DHS will only provide loosely worded suggestions for strategies that facilities might want to consider employing as part of their layered plan to protect their facility (I hope I got enough qualifiers in there). To make matters worse the Draft Guidance that we had a chance to look at last fall did little to provide even loosely worded suggestions for control system security. In fact, the cyber security section of the draft seemed to imply that DHS was looking for standard IT security procedures to protect control systems. Many of those IT security techniques would, in effect, be attacks on control systems. Perhaps the final version of the Guidance will better address the issue of control system security, but I doubt it. There was only one comment that addressed the control system security issues. While that comment from the ISA99 Committee on Industrial Systems Security was very detailed, most observers (myself included) do not expect significant changes to the Guidance document. Require Cyber Security Standards Joe’s blog posting yesterday expressed the opinion that there ought to be industry wide legislation. He said that: “there is a need for legislation to mandate its [NIST SP800-53] use in all critical infrastructure industries. This will not only provide the best existing standard, it is also the best chance for interoperability across all industries”. Joe may be getting his wish in S 773, a bill introduced in the Senate on Wednesday by Senator Rockefeller, Chairman of the Senate Committee on Commerce, Science, and Transportation. We won’t know for sure until the GPO publishes the text of the proposed bill, probably today. The problem with any industry wide requirement is trying to figure out how it will be enforced. With the White House apparently becoming the head office for Cyber Security, it will be difficult to see how there could be effective enforcement. On the other hand, for high-risk chemical facilities there is already an enforcement mechanism in place, CFATS. Of course, this would require modifying the authorizing language to allow the Secretary to specify NIST SP800-53 compliance. Of course, that authorizing language is due for update this spring, so this is a good time to start talking cyber security requirements.

No comments:

 
/* Use this with templates/template-twocol.html */