Friday, May 6, 2011

Updated Recommendations for Standards Developers

Yesterday the DHS Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) published the latest version (Version 7, April 2011) of the Recommendations for Standards Developers. This replaces the June 2010 version that was available through the ICS-CERT website through early yesterday. The Recommendations is described in the Executive Summary (pg v) this way:

“This catalog presents a compilation of practices that various industry bodies have recommended to increase the security of control systems from both physical and cyber attacks. The recommendations in this catalog are grouped into 19 families, or categories, that have similar emphasis. The recommendations within each family are displayed with a summary statement of the recommendation, supplemental guidance or clarification, and a requirement enhancements statement providing augmentation for the recommendation under special situations.”
There is no listing of the differences between this new version and the older version of the document so it is difficult to tell what has changed in the new document. A quick glance at the Table of Contents of both documents shows no change (other than a big typo in the description for Section 2.9.2 in the new document) in the information covered though it is apparent that there is more information in each of the sections covered.

Information Differences

Trying to determine the exact differences is difficult. In many instances the differences are minor. For example looking at page 1 in both documents we can see a one word difference in the first sentence under ‘Proprietary Control System Technology’.

• June 2010 – “A large percentage of control system hardware and software is proprietary.”

• April 2011 – “A large percentage of deployed control system hardware and software is proprietary.
It is hard to call that a significant change. The second sentence in the same section, however, shows how, in some instances, more information may be provided in the new version:

• June 2010 – “However, some vendors are moving toward marketing products that use nonproprietary, off-the-shelf technologies.”

• April 2011 – “However, some vendors are moving toward marketing products that use nonproprietary, commercial off-the-shelf technologies, as these newer systems provide more functions, with better efficiency, costs (acquisition, operation, and maintenance), and effectiveness.”
There is one significant new type of information that is provided in the latest version of the document; a listing of references for each section. There is a new sub-paragraph (X.X.X.4) in each section that list where industry specific information supporting that section can be found in documents like NIST SP 800-53 and the NERC CIPS. This information will be a big help to standards writers.

Facility Use

This document was designed to be used by standards writers, not critical infrastructure facilities. Having said that; this is probably a good document for cyber security officers at high-risk chemical facilities to have in their library. Anyone familiar with the CFATS program will understand that the Risk-Based Performance Standards Guidance document (which I cannot find referenced in this document even a single time; imagine that) is totally inadequate in the guidance it provides for ICS security matters. The guidance in this document is much more extensive in its ‘requirements’ than a chemical security inspector will ever look for in a site security plan, but it provides better security guidance than available from ISCD.

This cyber shortcoming in the CFATS program is not unexpected and has nothing to do with any shortcoming in the leadership, past or present, at ISCD. First this kind of detailed guidance was prohibited by Congress when they authorized the CFATS program; DHS cannot specify security requirements for CFATS facilities. Next ISCD only has so many personnel slots and the rest of the CFATS program is complex enough in its own right to require more expertise than ISCD can afford to hire. Add to that the general shortage of ICS security experts to begin with and it is actually amazing that ISCD has done as well as it has. That makes it even more of a shame that the effort was so inadequate.

Facilities with a cyber security manager that really understands industrial control systems (a low percentage of facilities I am sure) will find that this document will help them in writing their cyber security plan. And if you think about it, isn’t that ‘standards writing’?

No comments:

 
/* Use this with templates/template-twocol.html */