Some Congresspeople have been asking questions-- intelligent, insightful questions, that indicate that the policymakers are really going to understand and take a role in cybersecurity:
Question from the Honorable Michael T. McCaul:
1. What are the principal differences between the ISA 99 standards and the NIST best practices found in Special Publication 800-53?Although the developmental processes were different for NIST 800-53 and the ISA 99 standards, the results are harmonious. There has been a significant amount of cross-pollination of people between the NIST and ISA standards which will provide for a seamless transition between the standards. Both ISA and NIST address multiple industries and have similar content in those areas where the development is essentially complete. It should be noted that neither ISA nor NIST include the exceptions and exclusions found in the NERC CIP cyber security standards. Specifically, NIST SP 800-53 security controls address the management, operational, and technical safeguards, countermeasures, and/or compensating measures prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. ISA 99 Part 2 covers the management and operational requirements. NIST will be performing a mapping between ISA 99 Part 2 and the NIST SP 800-53 management and operational security controls. ISA 99 Part 4 will cover the technical requirements. NIST has provided SP 800-53 to the ISA 99 Part 4 Working Group for consideration in the development of the Part 4 standard. No significant differences are expected.Question from the Honorable Paul C. Broun:
2. What, in your opinion, is the most egregious element of the NERC CIP standards? If they had to change one particular element to be in line with your recommendations, what would it be?The most egregious element of the NERC CIP standards is the scope, particularly the limitations and vagueness in NERC CIP-002. To be in line with my recommendations, there would need to be two changes. The first change would be to eliminate the exclusions of telecom, market functions, electric distribution, non-routable protocols, and nuclear power plants. The systems and protocols that have been excluded by the NERC CIP process have vulnerabilities that could affect the reliability of the electric grid. The second change would be to require all systems that are electronically connected (e.g., digital or analog connection of information or control systems) to be considered critical. These changes would result in the utilities addressing all systems throughout the enterprise that could be pathways into or out of the control system networks. These changes are consistent with what is required for securing business Information Technology applications and would make the NERC CIPs more consistent with the NIST framework.
Joe Weiss, PE, CISM
Leaders relevant to this article: