1. Home

What should cyber security legislation look like – and why

April 1, 2009

I have been asked by any number of people in Washington and different industries what should be the appropriate cyber security standards and why do we need legislation.

I have been asked by any number of people in Washington and different industries what should be the appropriate cyber security standards and why do we need legislation.

There are several driving issues that must be addressed in any cyber security standard or legislation:
-    Industrial control systems are common across multiple industries domestic and internationally. Unless we want a tower of babel of control systems, there needs to be a common standard so we don’t have a “Brand x for non-nuclear power generation”, “Brand x for water”, “Brand x for Smart Grid”, etc.
-    There are a limited number of control system vendors, a limited number of ways to interconnect control systems, and a limited number of control system communication protocols.
-    The same control system cyber security problems that affect one industry affect all others using those same control systems, architectures, and protocols.
-    The various industries’ attempts at control system cyber security standards, particularly NERC, NEI, and water are weak and/or ineffective. In addition, they haven’t addressed the control system cyber incidents that have, and continue, to occur.
-    NIST SP800-53 is mandatory for all federal agencies. Because of this, a significant effort was made by NIST, MITRE, others (including myself) to extend the existing IT controls in NIST SP 800-53 to include control systems. It is now the only document that includes both IT and control systems as well as having been extensively vetted (revision 3 is currently available for comment). Additionally, not mandating NIST means that all non-federal organizations that electronically interconnect with federal agencies will be “weak links” from a cyber security perspective.

Given all of this, it should be obvious the defacto cyber security standard for all industries should be NIST SP800-53 or a close derivative. Since there has been so much pushback by NERC and others, there is a need for legislation to mandate its use in all critical infrastructure industries. This will not only provide the best existing standard, it is also the best chance for interoperability across all industries (see Smart Grid).

Joe Weiss

Continue Reading

Sponsored Recommendations

Measurement instrumentation for improving hydrogen storage and transport

Hydrogen provides a decarbonization opportunity. Learn more about maximizing the potential of hydrogen.

Get Hands-On Training in Emerson's Interactive Plant Environment

Enhance the training experience and increase retention by training hands-on in Emerson's Interactive Plant Environment. Build skills here so you have them where and when it matters...

Learn About: Micro Motion™ 4700 Config I/O Coriolis Transmitter

An Advanced Transmitter that Expands Connectivity

Learn about: Micro Motion G-Series Coriolis Flow and Density Meters

The Micro Motion G-Series is designed to help you access the benefits of Coriolis technology even when available space is limited.

Latest from Home

Most Read

Sponsored