Control System Cyber Security and Auditors
I just returned from a presenting a short course on control system cyber security at the spring meeting of the LA Section of ISACA – the Information Systems Audit and Controls Association. ISACA represents IT auditors. Often, they will be the ones performing control system audits (including NERC CIP), at least internally. With the exception of the person that invited me to speak, the rest of the attendees had never heard the story before. They only knew about IT metrics. My suggestion to them was NIST SP800-53 as I know of no other approach I could recommend.
IT audit staff have the ears of senior management and the Board of Directors. I believe the IT audit staff can be an asset in securing control systems if approached in a teaming manner.