.gif)
The first potentially successful effort in the US to have a control system security standard that had must and shall requirements and an audit plan was NERC CIP for the electric sector. The standards were first written broadly with general security requirements that could be met with a number of implementation choices that a security team could make. Basically the CIP’s required the elements of a sound control system cyber security program, but they left a lot of room of discretion, which utilities could exploit to avoid implementing security if that was their goal. This approach made sense when it was a NERC program of self regulation by utilities, not a US Government regulatory program.
The Energy Act changed all that and now with have FERC, ERO and a desire to get more specific and allow less judgement. This is challenging because it is a very different approach than the original text, but not impossible.
There has been a drumbeat from some big voices in the community, that is now echoed by some in Congress, that we all should use NIST’s SP800-53. It’s better, would result in higher security they say. It will solve all the standard problems that exist with CIP. While SP800-53 would have been a reasonable choice for NERC or any other sector to start with, changing the CIP’s to a SP800-53 based approach is going to be a highly inefficient use of resources that could be used to improve security rather than all new terms, methodologies, etc.
And a paper exercise built around SP800-53 is not solving all the problems or going so well after years of efforts. In fact, the US Government recently said just that in their proposed changes to FISMA, the Federal Information Security Management Act of 2002. FISMA today requires Federal agencies to select and implement appropriate security controls from SP800-53 after a risk assessment.
There is a good summary article on the proposed changes to FISMA in Information Week, but this paragraph on the cost of the effort with emphasis on the documentation that sounds eerily like what electric utilities are saying:
Agencies have been spending as much as $1,400 per page on those reports under requirements of the Federal Information Systems Management Act. The Department of State alone has spent $133 million in the last six years just on FISMA compliance. However, numerous questions continue to arise about the effectiveness of agencies’ cybersecurity efforts. That kind of waste has led to simultaneous moves by the White House, the National Institute for Standards and Technology (which has power to set FISMA standards), and Congress to overhaul or refocus FISMA and other federal cybersecurity requirements.
Is the move to a NIST SP800-53 paper exercise really going to be worth losing all the training and momentum around a different paper exercise? My answer is no. Maybe we should look at what the Federal Government is seeing as deficiencies in the paper approach and trying to move towards continuous monitoring and better security benchmarks.
The purpose of this post is not to critique FISMA and SP800-53. If you want that I suggest you read Richard Bejtlich’s writings on the subject over the last five years and on the recent memo discussing changes. He is very skeptical, to put it mildly, of the value of the FISMA paper exercise to truly improving security as well as the proposed changes.
Instead, the purpose of my post is to point out that SP800-53 is not the cure all it is being portrayed as vis-a-vis NERC CIP. $1,400 per report page? And the government only got a C grade in 2009, up from a C- in 2008. And many government agencies get D’s and F’s. And do we believe the grades when an organization goes from a B one year to an F the next, and vice versa?There are questions whether a good grade actually means better security or better documentation. Maybe the next gen NERC CIP’s and other sectors looking at developing standards should look hard at where FISMA is failing and different approaches rather than look at adopting the current Federal approach as utopia.
I’ll pass on commenting on the amusing standards politics within the control systems community. :)
Despite Richard’s expertise on the network security monitoring, I wouldn’t be so quick parrot his opinions as soul source of wisdom on the topic unless the purpose is exclusively rattle the cages of the NIST fanboys. Check out folks like @danphilpott that have less axe to grind and know the standards better.
Personally, the control monitoring vs threat monitoring is just as a much as a false dichotomy as the OT v. IT security debate. There really wasn’t as much daylight between Ron and Richard on the PaulDotCom podcast on the topic as you would think.
Of course C&As (whether FISMA or DIACAP) can be a paper chase but they don’t have to be exclusively so, depending on the mindsight and objectives of the team helping the government agency, or the system in the case of a DIACAP/PIT C&A for DoD. If the stars align and the organizations and analysts preparing the C&A package and performing testing (yes testing is actually done), think beyond the checklist and actually attempt understand the system and realistic threats you can use the C&A process to make the sort of gains you describe with NERC CIP. And In the case of DoD, using things like the Application Security STIG can provide a lot more rigor than you could ever get with with NERC CIP. These provide much more leverage over control systems vendors than you could ever get with NERC CIP.
The bottom line is that regardless of the approach (threat vs. controls) or the standard (NERC CIP, FISMA, DIACAP, PCI) if you aren’t serious about security you can rig your audit/assessment.
I must have missed the mark in that blog entry because Matt your comment and one from Jake on the SCADAsec list did not pick up on my main point.
Take 2: Will going through the effort to switch from the current NERC CIP approach to a NIST SP800-53 approach lead to a significant improvement in security that is worth the disruption in momentum?
The electric sector is just now coming to understand and implement the current approach. Seems like a bad time for a major change unless it is going to be a major improvement.
When I hear Congressmen asking “expert” panels why they are not using SP800-53 instead of the NERC CIP’s, and the following political pressure to FERC to ERO …, it leads me to wonder why they think SP800-53 is the silver bullet. This latest relook at FISMA by the USG hopefully will cause a relook at the wisdom of a mid-course correction.
Maybe I’m missing something, Dale.
On the one hand, we have a set of recommendations in NERC CIP that one can drive a truck through. On the other hand, we have paper tigers such as NIST 800-53.
I think these assessments are meant to rub management’s nose in the current situation and to force them to at least acknowledge the shortcomings. That way, *when* stuff gets hacked, they can’t say they were ignorant of the possibilities.
Neither of NERC CIP or NIST 800 can actually fix a problem, however. If one chooses to acknowledge these problems and call them business risks, then you’re right. It is just a paper tiger. Yes, NERC CIP actually does have a few recommendations, feeble though they may be. And in fairness to NIST, there is a prescriptive document in 800-82 that has lots of reasonable recommendations. But you have to choose to do something before it can be useful to you.
Ultimately, managers do not comprehend these reports. Instead, they want the paper so that they can have plausible compliance, instead of real security. The problem here is that they do not and often can not comprehend the risks. For them, this is complicated stuff that isn’t worth the time it takes to understand it –until someone hacks them.
This is like being a North American car manufacturer in the 1970s. We have the quality assurance program in place. They’re telling us that the cars coming off the assembly line are utter garbage. Yet management still insists on selling it regardless of the fact that others are building better stuff at very little additional cost.
The question of whether we use this quality report or that one is almost irrelevant. We need to build better components and better systems. I don’t see much happening with either method.
Am I missing something?
Jake – You sort of make my point with your 2nd to last paragraph.
Efficiency of effort is very important because we have much to do to secure critical infrastructure control systems. We also still have far too few people who know how to do this, C-level executives who get it, time and money devoted to this – - probably multiple blog entries there.
So lots to do with limited resources. Is it wise to spend those resources revising the CIP’s from their current approach to a SP800-53 approach? It is much more than just the efforts to revise the documents. A major portion is the education, processes, and other people issues that have taken a long time to build up. Now right when they are starting to role we are going to change?
And if “the question of whether we use this quality report or that one is almost irrelevant” why are we going to waste major resources on this change?
One last comment: Bob Huba writes over at SCADASEC, http://news.infracritical.com/pipermail/scadasec/2010-April/000967.html
“Be aware that NIST 800-53 is the basis for the Foundational Requirements in ISA SP99 – The Foundational Requirements team have spent the last year or more going through the document based on using 800-53 and making it more suited for a Control system security standard. So regardless of what Dale and others might think – 800-53 is being used in control system security – but not straight out of the box. I will be a proscriptive part of the standard.”
Exactly!
The ISA99 created a cross walk document between ISA99 and SP800-53, a great appendix, and perhaps added some requirements. They did not say our approach should be scrapped and replaced with SP800-53.
ISA99, NERC CIP, SP800-53 and others define cyber security program requirements. Just taking different approaches in structure, language, terms, specificity, etc. One could argue that a certain document is better than another. However once there is an investment in one approach or document, the cost in time and money and lost opportunity is not worth the effort.