I have been involved with NIST to one degree or other on ICS cyber security since 2000 and on other technical issues long before that. I have done this as I firmly believed NIST was the best independent organization to be able to develop ICS cyber security standards. Unfortunately, I can no longer say that in good faith.
Background
While at EPRI in 2000, NIST's Ron Ross, Stu Katzky, Jerry Fitzpatrick and Al Wavering, and I helped start the Process Control Security Requirements Forum which eventually morphed into ISA99. I helped provide input to the original version of NIST SP800-82. Marshall Abrams from MITRE and I helped develop NIST SP800-53, Appendix I by doing detailed analyses on several actual control system cyber incidents. The detailed analysis of the Olympic Pipeline Company gasoline pipeline rupture in Bellingham, WA is not only one of the most comprehensive detailed analyses of an ICS cyber incident to date, it also provided the confirmation that the 2010 PG&E San Bruno natural gas pipeline rupture was a ICS cyber incident.
A group of us, Keith Stouffer from NIST, Marshall Abrams from MITRE, Dave Norton, then of Entergy and now of FERC, and I did the first detailed cross comparison between NIST SP800-53 and the NERC CIPs. In 2007, our team of Marshall, Ron, and I were also approached by a plant control system engineer to do the first detailed benchmark of how NIST SP800-53 could be applied in a real case. Unfortunately, the utility's Corporate security management prevented that project from occurring. In October 2007, I testified to the House Homeland Security and Emerging Threats Subcommittee that the NIST approach was superior to the NERC CIP approach and would be on the same order of magnitude of cost. I was crucified by NERC and industry for putting my neck out for NIST.
Through no fault of NIST, NIST's technical approach dealing with ICS cyber security changed with the Smart Grid Cyber Security efforts. That was because Congress mandated NIST to oversee, not actually develop, Smart Grid cyber security and interoperability standards. From an ICS cyber security perspective, it was not a success. Fast forward to the current Executive Order. I met with a number of NIST senior staff in February at RSA. Suffice it to say, there was not a clear understanding by them of what makes ICSs different. I watched the first NIST industry session from NIST's Gaithersburg facilities via video and was appalled by the lack of ICS knowledge or formal participation. On 12 Jul 2013 11:22 AM PDT, IBM's Andy Bochman posted the Smart Grid Security Blog about the third NIST meeting held in San Diego with the title being "NIST Thinking about Cyber Security for Critical Infrastructure Company Boards and CEOs". I sent Andy a note and received the following response:
"Good morning Joe. I think it's a good thing you weren't in SD. Would have made you crazy for the near complete absence of anything related to control systems thinking... Andy"
I feel like a broken record saying the system is broken. Are the politics so thick that NIST cannot do a better job of providing appropriate ICS cyber security guidance than they did with Smart Grid?
Joe Weiss
