NIST Frameworks vs NERC CIPs

Oct. 23, 2007

The October 17 Congressional hearings generated a great deal of interest and also consternation, particularly by NERC, EEI, and the utilities. There is ample evidence that many utilities have not been making much progress in actually securing their control systems or responding to the recent ES ISAC Advisory on the Aurora vulnerability. The NERC CIPs are not technically adequate to secure any computer system, much less critical infrastructure. The NIST Framework has been vetted internationally ...

The October 17 Congressional hearings generated a great deal of interest and also consternation, particularly by NERC, EEI, and the utilities. There is ample evidence that many utilities have not been making much progress in actually securing their control systems or responding to the recent ES ISAC Advisory on the Aurora vulnerability. The NERC CIPs are not technically adequate to secure any computer system, much less critical infrastructure. The NIST Framework has been vetted internationally and across multiple industries. We did a line-by-line comparison between NIST SP800-53 and the NERC CIPs. SP800-53 was significantly more comprehensive, even at the lowest level. From all of the cyber security standards I have seen to date covering multiple industries, the NIST framework is the best security framework currently available for IT and control systems. The links for the NIST documents include: Link to 53A is: http://csrc.nist.gov/publications/drafts/800-53A/SP-800-53A-tpd-final-sz.pdf Link to draft 800-53 ICS is:  http://csrc.nist.gov/groups/SMA/fisma/ics/documents/draft-ics-interpretation_SP800-53.html Links to SP800-82 are: 2nd-Draft-SP800-82-clean.pdf (2,245 KB) 2nd-Draft-SP800-82-clean.pdf.zip(1,739 KB) 2nd-Draft-SP800-82-markup.pdf(2,001 KB) 2nd-Draft-SP800-82-markup.pdf.zip (1,701 KB) NIST requests comments on NIST SP 800-82 by November 30, 2007. Please submit comments to [email protected] with "Comments SP 800-82" in the subject line. I was surprised to find that Allan Paller of SANS questioned the validity of this work. In the October 19 issue of SANS NewsBytes, he states: "[Editor's Note (Paller): NERC (the self-policing body set up by industry to ensure reliability of the US electrical system) has made significant strides in recent months toward ensuring that its standards are more than the paper exercises endemic in federal agencies following NIST guidelines, but more needs to be done. The cause of NERC's slow action appears to be a lack of urgency felt by NERC managers who have been misled about the threat and whether mitigations are fully in place. It would be wasteful for Congress to step in, but many Senators and Congressmen feel FERC's (the Federal Energy Regulatory Commission that oversees NERC) needs additional power and urgency.]" The reason for the FERC NOPR and the Congressional hearings is the industry has NOT made significant strides in recent months. In fact, I would argue they have made insignificant strides, at best. Consequently, there is a need for government intervention. Who does Paller believe is misleading NERC managers about the threat and whether mitigations are in place? Finally, SANS is NOT a control system organization - ISA is. ISA is the international standards organization for control systems with ongoing efforts within S99 for control system cyber security. Control system expertise is needed, supplemented with computer security expertise, in that order. Consequently, SANS should be working with ISA.