I have been asked by any number of people in Washington and different industries what should be the appropriate cyber security standards and why do we need legislation.
There are several driving issues that must be addressed in any cyber security standard or legislation:
- Industrial control systems are common across multiple industries domestic and internationally. Unless we want a tower of babel of control systems, there needs to be a common standard so we don’t have a “Brand x for non-nuclear power generation”, “Brand x for water”, “Brand x for Smart Grid”, etc.
- There are a limited number of control system vendors, a limited number of ways to interconnect control systems, and a limited number of control system communication protocols.
- The same control system cyber security problems that affect one industry affect all others using those same control systems, architectures, and protocols.
- The various industries’ attempts at control system cyber security standards, particularly NERC, NEI, and water are weak and/or ineffective. In addition, they haven’t addressed the control system cyber incidents that have, and continue, to occur.
- NIST SP800-53 is mandatory for all federal agencies. Because of this, a significant effort was made by NIST, MITRE, others (including myself) to extend the existing IT controls in NIST SP 800-53 to include control systems. It is now the only document that includes both IT and control systems as well as having been extensively vetted (revision 3 is currently available for comment). Additionally, not mandating NIST means that all non-federal organizations that electronically interconnect with federal agencies will be “weak links” from a cyber security perspective.
Given all of this, it should be obvious the defacto cyber security standard for all industries should be NIST SP800-53 or a close derivative. Since there has been so much pushback by NERC and others, there is a need for legislation to mandate its use in all critical infrastructure industries. This will not only provide the best existing standard, it is also the best chance for interoperability across all industries (see Smart Grid).