Get your answers here…

Nov. 20, 2007
Some Congresspeople have been asking questions-- intelligent, insightful questions, that indicate that the policymakers are really going to understand and take a role in cybersecurity: Question from the Honorable Michael T. McCaul: 1. What are the principal differences between the ISA 99 standards and the NIST best practices found in Special Publication 800-53? Although the developmental processes were different for NIST 800-53 and the ISA 99 st...
Some Congresspeople have been asking questions-- intelligent, insightful questions, that indicate that the policymakers are really going to understand and take a role in cybersecurity: Question from the Honorable Michael T. McCaul: 1. What are the principal differences between the ISA 99 standards and the NIST best practices found in Special Publication 800-53?Although the developmental processes were different for NIST 800-53 and the ISA 99 standards, the results are harmonious. There has been a significant amount of cross-pollination of people between the NIST and ISA standards which will provide for a seamless transition between the standards. Both ISA and NIST address multiple industries and have similar content in those areas where the development is essentially complete. It should be noted that neither ISA nor NIST include the exceptions and exclusions found in the NERC CIP cyber security standards. Specifically, NIST SP 800-53 security controls address the management, operational, and technical safeguards, countermeasures, and/or compensating measures prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. ISA 99 Part 2 covers the management and operational requirements.  NIST will be performing a mapping between ISA 99 Part 2 and the NIST SP 800-53 management and operational security controls.  ISA 99 Part 4 will cover the technical requirements. NIST has provided SP 800-53 to the ISA 99 Part 4 Working Group for consideration in the development of the Part 4 standard.  No significant differences are expected.Question from the Honorable Paul C. Broun: 2. What, in your opinion, is the most egregious element of the NERC CIP standards? If they had to change one particular element to be in line with your recommendations, what would it be?The most egregious element of the NERC CIP standards is the scope, particularly the limitations and vagueness in NERC CIP-002. To be in line with my recommendations, there would need to be two changes. The first change would be to eliminate the exclusions of telecom, market functions, electric distribution, non-routable protocols, and nuclear power plants. The systems and protocols that have been excluded by the NERC CIP process have vulnerabilities that could affect the reliability of the electric grid. The second change would be to require all systems that are electronically connected (e.g., digital or analog connection of information or control systems) to be considered critical. These changes would result in the utilities addressing all systems throughout the enterprise that could be pathways into or out of the control system networks. These changes are consistent with what is required for securing business Information Technology applications and would make the NERC CIPs more consistent with the NIST framework. Joe Weiss, PE, CISM  

Sponsored Recommendations

IEC 62443 4-1 Cyber Certification – Why ML 3 is So Important

The IEC 62443 Security for Industrial Automation and Control Systems - Part 4-1: Secure Product Development Lifecycle Requirements help increase resilience for control systems...

Multi-Server SCADA Maintenance Made Easy

See how the intuitive VTScada Services Page ensures your multi-server SCADA application remains operational and resilient, even when performing regular server maintenance.

Your Industrial Historical Database Should be Designed for SCADA

VTScada's Chief Software Architect discusses how VTScada's purpose-built SCADA historian has created a paradigm shift in industry expectations for industrial redundancy and performance...

Linux and SCADA – What You May Not Have Considered

There’s a lot to keep in mind when considering the Linux® Operating System for critical SCADA systems. See how the Linux security model compares to Windows® and Mac OS®.