The NIST Framework and what still needs to be done
The recently issued NIST Framework on CIP is a good basic top level document. It directly addresses ICS which is a great step forward and I am very happy to see IEC (ISA)-62443 liberally addressed. I believe the shortcoming is the lack of any actual requirements.
The “gold rush” of companies and conferences that are going to “help” CIP organizations understand and implement the NIST framework has already begun. Far be it from many of them to know anything about control systems.
While there are some differences between systems and between companies, the actual ICS systems are very similar in the critical (and non-critical) infrastructure industries. There are some clear requirements, specifically those called out in the IEC/ISA-62443 (ISA99) standard that should be included in any guiding framework for ICSs in the critical infrastructure industries. Requirements are benchmarks in the design of safer and more secure systems.
What will it take to actually make progress to improve ICS security beyond the myriad of programs addressing IT networks but not the actual ICSs themselves?
After many years, it is unfortunately clear that Congress will not regulate CIP owners. I believe the only organizations that can have any actual teeth will be those with the most at risk – Wall Street and the insurance companies. The insurance companies have a precedent. As far back as the late 19th century, insurance companies drove the regulation of steam boilers to reduce the number of accidents and fatalities on land, rivers, and sea. The use of predictive maintenance technologies such as vibration monitoring has resulted in reduced insurance premiums. So did auditing process plants to make sure their safety systems conformed to IEC61508 and IEC 61511. The same can be done with cyber security.
February 18th, I had the opportunity to address utility insurers and utility risk managers at the Energy Insurance Mutual Risk Managers Information Meeting. As with other conferences, many of the issues specific to ICS cyber security were misleading. A specific example of misleading information was a slide presented by a former senior government employee. The presentation referenced a November 2012 Zpryme Smart Grid Insights Survey that stated that generation was almost completely secure and Distribution and Transmission were mostly secure. I then gave a presentation on ICS cyber security with specific examples of what has already happened. The insurance industry and risk managers obviously deal in risk to the organization. From my informal discussions before and after the conference, it was evident this information struck home, at least to some. I believe this will be the best chance to actually have ICS cyber security addressed by senior management in a meaningful manner.