Is it soup yet? Not quite. Like a pot of water on the stove, it seems that watched security standards never boil. Unfortunately, many process controls engineers, IT technicians, manufacturers and end users have been left hungry as government departments, trade organizations and corporations struggle to develop and coordinate basic standards for securing industrial networks and software. Certainly, developing pan-industrial security standards is an immense and complex challenge, but several years have passed since many of these chefs started cooking, and the dinner guests are getting famished.
Still, even though the main dish hasnt arrived, you can hear the pans and dishes clanking and the cooks yelling, and a few appetizers have even emerged to keep some diners from getting too restless. All good omens.
Two years ago, there were about 40 government, trade and corporate organizations developing network security standards, and 38 of them reportedly were unaware of similar projects by the others. Since then, many have scrambled to coordinate their standards work. Perhaps the largest effort is by the U.S. Dept. of Homeland Security and the National Institute of Standards and Technology. DHS and NIST also set up the Process Control Systems Forum and the Process Control Security Requirements Forum (PCSRF) to gather input on security needs and best practices. DHS and NIST also are affiliated with the U.S. Computer Emergency Readiness Team and its Control System Security Program (CSSP), which lists control systems incidents and helps users work with suppliers to resolve disputes involving vulnerabilities.
Other guidelines and standards are being drafted by ISAs SP99 committee, the North American Electric Reliability Council, SANS Institute, and the Chemical Sector Cyber Security Program.
One of the more advanced efforts is the first part of ISA99, or S99.01.01, which was approved in October 2007, and the second part, S99.02.02, which was scheduled for a vote in September. Though official results havent been announced yet, S99.02.01 reportedly passed full committee voting, and final comments were being resolved before scheduled publication in October, according to Jim Gilsinn, NISTs electronics engineer and ISAs editor for S99.02.01. While part one provided ISA99s definitional foundation, developers say part two is the recipe that process control engineers and their IT colleagues can use to secure their applications. Parts three and four are expected to be drafted and start their approval processes next year.
To help all the security standards efforts join forces, NIST compiled network security guidelines from many of the 40 bodies and published them as its 800-53 draft standard in 2007. It helps users and organizations identify common security needs and methods they can share, and also finds which aspects of security might be unique to them.
No doubt the furthest along, NERCs Critical Infrastructure Protection (CIP) standards, CIP-002-1 to 009-1, became law earlier this year. It requires North American electricity generators and distributors to comply by Nov. 31, 2009. Likewise, chemical, water treatment, oil and gas and other industry-specific efforts have developed similar security roadmaps, which are likely to evolve into standards, too.
So what can you do to hurry things up? Well, dont wait to be spoon fed. Get up, set the table, and see if they could use a little help in the kitchen. Evaluate your applications operating parameters, check what security it needs, explore how overall standards might help and maybe contribute to their development. While its fun to light fires under the cooks, helping them find and use essential ingredients would be more useful for everyone. Bon appétit.