NIAC agrees senior management not onboard re cyber security

NIAC is the National Infrastructure Advisory Council. NIAC issued the following report dated January 16, 2007. Convergence of Physical and Cyber Technologies and Related Security Management Challenges Working Group Final Report and Recommendations by the Council It is a good report and reiterates our concerns that senior management is not yet onboard. It also makes several very good recommendations: The NIAC recommends: 1. The President establish a goal for all critical infrastructure sectors that no later than 2015, control systems for critical applications will be designed, installed, operated and maintained to survive an intentional cyber assault with no loss of critical function. 2. The Department of Homeland Security (DHS) and Sector-Specific Agencies (SSAs) collaborate with their respective owner/operator sector partners to develop sector-specific roadmaps using the Energy Sector Roadmap as a model. 3. DHS promote uniform acceptance across all sectors that investment in control systems cyber security is a priority. For sectors with regulatory oversight of earnings and investments, DHS should promote inclusion of the costs of control systems cyber security as legitimate investments and expenses that deserve approval by their regulatory bodies. 4. DHS and other relevant Federal agencies implement Convergence Study recommendations for Improved Information Sharing. 5. DHS and other relevant Federal agencies implement Convergence Study recommendations for Executive Leadership Awareness and the framework in Appendix A.  However, there is a misconception that must be addressed. The misconception that each industry is different directly affects the rationale for the formation of NIST's Process Controls Security Requirements Forum (PCSRF), DHS' Process Controls Security Forum (PCSForum), ISA S99 and the standardization benefits from utilizing the NIST Framework.   "Like other NIAC Working Groups before it, the Physical/Cyber Convergence Working Group found that there are significant differences among the critical infrastructure sectors. The NIAC found that each infrastructure sector has a very different control systems profile, with varying exposures and vulnerabilities to cyber attack. This eliminates the possibility that one set of security standards or one set of cyber security solutions could be applied across all infrastructure sectors to address the problem. In addition, the NIAC found that each sector has a very different dynamic with regard to cooperation and collaboration. For example, the electric sector has a long history of inter-company cooperation beginning with the establishment of the North American Electric Reliability Council (NERC) in 1968, whereas other sectors such as the Chemical Sector have a strong tradition of competition and less cooperation. Again, these differences would hamper any attempt to enact a single cross-sector policy to address the problem." VI. Conclusion ""¦The diversity of these systems, the differences among the sectors, the challenges presented with the convergence of these two types of systems, and the dynamic nature of the threat present significant challenges to developing a solution to this problem..." More than ten years ago, while still at EPRI managing electric industry instrumentation and controls (I&C) programs, I was invited to be part of the American Forest & Paper Association's Agenda 2020 I&C program because our I&C systems were so similar and based on identical control system hardware and architectures. I also worked closely with the chemical companies because their control systems were either similar or exactly the same as those in power plants. Water and wastewater systems utilize I&C equipment that is either similar or identical to those in power plants. The same can be said for many manufacturing facilities. These similarities spawned the PCSRF with representation from electric power, water, oil/gas, chemicals, etc. GAO picked up on the commonality which spawned the creation of the Process Controls Security Forum (PCSForum). These same similarities convinced the different industry divisions within ISA not to develop multiple security programs and policies for each industry, but rather to merge the cyber security efforts from all of the different industries into ISA S99 Manufacturing and Control System Security. It should also be noted that the chemical companies formed the Chemical Industry Data Exchange (CIDX) to address security and are further ahead than the electric utilities. I would hope that NIAC reassesses its conclusions in this area. It should be noted that none of the members of the Working Group have participated in ISA S99 activities. However, there have been representatives from several of the companies on the Working Group participating in ISA S99.