ISA SP99 v. NIST SP800-53
After the Congressional testimony in October, the panelists were provided with questions from committee members. Joe Weiss shares two along with his answers in his latest Unfettered entry.
Congressman McCaul asks “What are the principal differences between the ISA 99 standards and the NIST best practices found in Special Publication 800-53?”
I know and admire Joe, but I think he missed the obvious answer to that question. SP800-53 exists and ISA SP99 Part 4, which will eventually include all of the normative technical controls, is at least two years away.
Work is just beginning on SP99 Part 4, and the Working Group is trying to reach consensus on approach and structure of the document. It may or may not look at all like SP800-53. SP800-53 is being used as one of many reference documents by the group, and there has been discussions at the end of the effort to develop a chart that maps requirements to this and other standards including NERC CIP.
The current discussions in the last few weekly conference calls have been on the number of security levels. Requirements then will be assigned to security levels. There is a good chance that the number of security levels will differ between the two documents, and SP99 has not adopted the 3 x 3 NIST grid for determining security levels.
In the end, I would expect the documents to have a lot of overlap like most of the documents in this space do. The labs did a mapping that showed this in a catalog document that was briefly available online. If the goal is to be close to a 100% match between SP800-53 and SP99, we should all stop wasting time working on SP99. This sounds flip, but it may be a valid suggestion.
NIST SP800-53 is a very good document, but we should not put a halo on it. SP800-53 was used to audit Federal control systems, and it had some major problems. This is why NIST has written draft Industrial Control System (ICS) Supplemental Guidance for about 25 of the controls. The guidance essentially says this control may not be technically feasible for an ICS. So some of the rigor that proponents of SP800-53 like is in fact being reduced.
Author: Dale Peterson
Posted: November 21st, 2007 under ISA SP99, NIST.
Comments: 5
Comments
Comment from CallBEFOREYouDig
Time: November 21, 2007, 12:07 pm
NIST also has a draft SP 800-53 Rev. 2 as of Nov 16, 2007. See http://csrc.nist.gov/publications/drafts/sp800-53-rev2/Draft_800-53-rev2-AppendixI_fpd-clean.pdf . In general, the ICS guidance relies heavily on compensating controls.
Comment from Ron Southworth
Time: November 22, 2007, 10:43 pm
Hi Dale,
It is interesting to read or hear that people skip from ISA SP99 to SP800-53 without referencing SP800-82 in the discussion of which one should we use or should we drop, one in favour of the other.
I do agree with the first principal of having an accumulated set of best practices “in one package” to use as a basis for implementation guidance.
To compare these documents when there are such varied life cycles for each document process is somewhat unfair.
I am of the opinion that these raft of best practice activities should rightly lever off each other so there is some benefit in the life cycles of each document’s development cycles - a saving rework.
It comes back to some bigger picture principals.
I believe however that the ISA standard is a very reasonable compilation of providing best practices for Industrial Control Systems context whereas SP800-53 is at the end of the day something from which Federal Organisations in the USA are bound to conform to. A form of legal compliance and therein begins the rub.
I harp about this all the time so I will try not to repeat myself except to say that these standards all have merit.
It is in how they are applied and used as leverage. The motivation that is behind the desire to establish some corrective action and timeliness in mitigation of our critical infrastructure protection improvements upon owners and operators in the USA is understandable. Utilities by enlarge nowadays are now no longer national treasures and assets and therefore now exist to provide a profit to their shareholders and to be efficient in running costs. The fact that they provide a service to obtain this income really is seen as an outlay in the business model.
What is more important, the need to impose regulation or the end result?
For certain there is an element of regulation required to allow for a lack of honour and accountability we have in our capitalistic way of life and this necessarily involves a legal framework to prevent these lapses in community responsibility.
It would be better however to not overburden utilities in an adversarial framework with respect to cyber security. There are already enough adversaries to contend with without creating more . This is what I am greatly concerned with.
I think DHS with the CSSP efforts, their approach to partner with the community is a better (maybe longer) road with more long term and lasting cultural changes and improvements. I think that this vision needs to be nurtured and fostered and built upon.
Comment from Keith Stouffer
Time: December 7, 2007, 12:48 pm
I would like the clarify some of the statements that have been posted here concerning the control system material (Appendix I) that has been developed for NIST SP 800-53. Please note, as Ron mentioned, that US federal agencies that own/operate information systems, including industrial control systems, must comply with the security controls specified in NIST SP 800-53.
Dale, you mentioned that “The guidance essentially says this control may not be technically feasible for an ICS. So some of the rigor that proponents of SP800-53 like is in fact being reduced.” The first sentence, to a degree is correct. This was one of the reasons why the ICS material was developed for SP 800-53. The second sentence to this quote is incorrect.
What the material in SP 800-53, Appendix I states is that in situations where the ICS cannot support, or the organization determines it is not advisable to implement particular security controls or control enhancements in an ICS (e.g., performance, safety, or reliability are adversely impacted), the organization must select and implement compensating controls. The organization must provide a complete and convincing rationale for how the selected compensating controls provide an equivalent security capability or level of protection for the ICS and why the specific security control could not be employed.
It is important to note that compensating controls are NOT exceptions or waivers to the baseline controls; rather, they are alternative safeguards and countermeasures employed within the ICS that accomplish the intent of the original security controls that could not be effectively employed. SP 800-53, Appendix I provides example compensating controls for security controls or control enhancements that may not be applicable in some ICS environments.
I would also like to note that the actual security baselines for federal ICS defined in SP 800-53, Appendix I have been STRENGTHENED over the baselines that are specified for general purpose federal information systems:
2 new security control enhancements concerning access control and configuration management (AC-3 ICS-1 and CM-3 ICS-1) have been developed and are included in the Moderate and High baselines.
Additionally, PE-9, concerning power equipment and cabling, control enhancement 1, has been added to the Moderate and High baselines. PE-11, concerning emergency power, has also been added to the Low baseline, PE-11 control enhancement 1 has been added to the Moderate baseline, and PE-11 control enhancement 2 has been added to the High baseline.
Please see SP 800-53 Rev 2, Appendix I http://csrc.nist.gov/publications/drafts/sp800-53-rev2/Draft_800-53-rev2-AppendixI_fpd-clean.pdf for additional information on these new security control enhancements and additions to the security baselines for ICS.
Please note that NIST SP 800-53 Rev 2, Appendix I is currently out for public review and that the deadline for submitting comments is December 14, 2007. The final document is scheduled to be released this month.
As far as I am concerned the relationship between NIST and ISA SP 99 is a very good partnership, each helping the other to more efficiently develop complimentary standards that federal agencies can use (SP 800-53 Rev 2) and that the private sector can use (ISA 99) to secure their respective control systems. As mentioned, SP 800-53 has been submitted to ISA 99 to be considered as a reference in the development of the standard. Additionally, work developed by ISA 99 was used by NIST to develop SP 800-53 Rev 2 and any additional material that is developed will be used to better the document as well.
Comment from Keith Stouffer
Time: December 7, 2007, 12:55 pm
Please note that the link for NIST SP 800-53 Rev 2, Appendix I has changed and can be found at http://csrc.nist.gov/publications/drafts/sp800-53-rev2/Draft_800-53-rev2-fpd-corrected-sz.pdf
Comment from Hans Daniel
Time: April 24, 2008, 11:17 pm
NIST is producing good documents but just too many of them and too many pages. They look to me like research papers, like contributions to standards work, well worth to pick and choose from, to use concepts and elements.
In deed I do not believe the NIST documents went through the negociation and agreement process which characterises industrial standards work. Are the NIST documets not written single handedly by consultants,commissioned by government? Like the Grundschutz we talked about?
The practitioner is looking for a unified, hands-on SCADA security standard. That’s what I (and probably most of the people in industry) expect from ISA WG4.
Why is it this so hard to accomplish?
Write a comment