The Chemical Security Bill - adequacy of cyber security recommendations

Dec. 1, 2008
The Chemical Facility Anti-Terrorism Standards (CFATS) includes both physical and cyber security recommendations (though mostly physical). INL made a comparison (actually a correlation) of the CFATS risk-based performance standards recommendations to those in ISA99.00.02. The approach on the surface appeared to be similar to what NIST (and support staff including myself) did for comparing the NIST standards to the NERC CIPs.
The Chemical Facility Anti-Terrorism Standards (CFATS) includes both physical and cyber security recommendations (though mostly physical). INL made a comparison (actually a correlation) of the CFATS risk-based performance standards recommendations to those in ISA99.00.02. The approach on the surface appeared to be similar to what NIST (and support staff including myself) did for comparing the NIST standards to the NERC CIPs. The NIST approach was a true cross-comparison – not only checking for adequacy but cross-correlating what each document had that the other did not. It required a detailed reading of both documents as the titles did not always provide the level of detail needed. The INL approach appears to be a cursory one-way correlation. That is, it provided a correlation of what was in CFATS to its companion title in ISA99.00.02. Similar to the NIST Framework, ISA99.00.02is a very comprehensive standard. In order to determine the adequacy of the CFATS recommendations, there needs to be a determination of what, if anything, is missing from CFATS that is included in ISA99.00.02and/or the NIST Framework. This is important as the NIST cross-correlation effort resulted in identifying significant limitations in the NERC CIPs.

Joe Weiss

Sponsored Recommendations

IEC 62443 4-1 Cyber Certification – Why ML 3 is So Important

The IEC 62443 Security for Industrial Automation and Control Systems - Part 4-1: Secure Product Development Lifecycle Requirements help increase resilience for control systems...

Multi-Server SCADA Maintenance Made Easy

See how the intuitive VTScada Services Page ensures your multi-server SCADA application remains operational and resilient, even when performing regular server maintenance.

Your Industrial Historical Database Should be Designed for SCADA

VTScada's Chief Software Architect discusses how VTScada's purpose-built SCADA historian has created a paradigm shift in industry expectations for industrial redundancy and performance...

Linux and SCADA – What You May Not Have Considered

There’s a lot to keep in mind when considering the Linux® Operating System for critical SCADA systems. See how the Linux security model compares to Windows® and Mac OS®.