What should cyber security legislation look like – and why

April 1, 2009

I have been asked by any number of people in Washington and different industries what should be the appropriate cyber security standards and why do we need legislation.

I have been asked by any number of people in Washington and different industries what should be the appropriate cyber security standards and why do we need legislation.

There are several driving issues that must be addressed in any cyber security standard or legislation:
-    Industrial control systems are common across multiple industries domestic and internationally. Unless we want a tower of babel of control systems, there needs to be a common standard so we don’t have a “Brand x for non-nuclear power generation”, “Brand x for water”, “Brand x for Smart Grid”, etc.
-    There are a limited number of control system vendors, a limited number of ways to interconnect control systems, and a limited number of control system communication protocols.
-    The same control system cyber security problems that affect one industry affect all others using those same control systems, architectures, and protocols.
-    The various industries’ attempts at control system cyber security standards, particularly NERC, NEI, and water are weak and/or ineffective. In addition, they haven’t addressed the control system cyber incidents that have, and continue, to occur.
-    NIST SP800-53 is mandatory for all federal agencies. Because of this, a significant effort was made by NIST, MITRE, others (including myself) to extend the existing IT controls in NIST SP 800-53 to include control systems. It is now the only document that includes both IT and control systems as well as having been extensively vetted (revision 3 is currently available for comment). Additionally, not mandating NIST means that all non-federal organizations that electronically interconnect with federal agencies will be “weak links” from a cyber security perspective.

Given all of this, it should be obvious the defacto cyber security standard for all industries should be NIST SP800-53 or a close derivative. Since there has been so much pushback by NERC and others, there is a need for legislation to mandate its use in all critical infrastructure industries. This will not only provide the best existing standard, it is also the best chance for interoperability across all industries (see Smart Grid).

Joe Weiss

Sponsored Recommendations

Make Effortless HMI and PLC Modifications from Anywhere

The tiny EZminiWiFi is a godsend for the plant maintenance engineers who need to make a minor modification to the HMI program or, for that matter, the PLC program. It's very easy...

The Benefits of Using American-Made Automation Products

Discover the benefits of American-made automation products, including stable pricing, faster delivery, and innovative features tailored to real-world applications. With superior...

50 Years of Automation Innovation and What to Expect Next

Over the past 50 years, the automation technology landscape has changed dramatically, but many of the underlying industry needs remain unchanged. To learn more about what’s changed...

Manufacturing Marvels Highlights Why EZAutomation Is a Force to Be Reckoned With

Watch EZAutomation's recent feature on the popular FOX Network series "Manufacturing Marvels" and discover what makes them a force to be reckoned with in industrial automation...