NIST and DOE still not distinguishing between IT and ICS

Nov. 15, 2011

A message from Joe Weiss:

September 2011, DOE published the Electricity Sector Cybersecurity Risk Management Process Guideline for comment. The document draws from a significant number of experts, though none are industrial control systems (ICS) experts. The document effectively equates IT and ICS. It references IEC-62443 which is still not a formal document and excludes any mention of ISA99.

A message from Joe Weiss:

September 2011, DOE published the Electricity Sector Cybersecurity Risk Management Process Guideline for comment. The document draws from a significant number of experts, though none are industrial control systems (ICS) experts. The document effectively equates IT and ICS. It references IEC-62443 which is still not a formal document and excludes any mention of ISA99.

Meanwhile NIST recently published their National Initiative for Cyber Security Education (NICE) Cybersecurity Workforce Framework. The document states: "Consequently, with the exception of select critical support roles that allow cybersecurity professionals to effectively do their work, we did not include occupational specialties related to acquisition, physical security, oversight of critical infrastructure, electrical engineering, and so forth." This can create, or at least exacerbate, the training and cultural issues that currently divide IT Security and Operations. 

NIST and DOE need to address the unique aspects of industrial control systems as identified in NIST SP80-82. Moreover, NIST SP800-82 needs to be updated to address newer threats to ICSs including threats such as Stuxnet.