Control Systems Security Standards Efforts ROI
I’ve been involved to varying degrees with security standards efforts for way too long now - - almost twenty years. Most recently with the ISA 99 Part 4 effort. For a while I was actively involved in that effort in support of a contract with Wurldtech. When Bryan Singer joined Wurldtech that did not make sense any more for obvious reasons, so at that point it was one of many possible pro bono activities. Since then I have been only minimally involved, lurking in an occasional weekly conference call and looking at some of the documents.
So the question we are asking internally was and is: Is actively contributing to ISA 99 Part 4 or another control system security standard the most efficient use of our pro bono time to move the control system security effort forward? This question came up again with the NERC call for technical experts to help with CIP revisions.
Another question is whether a consensus standard that passes a vote is a worthy security document. Is it a representation of good security practice or a least common denominator? I have written before about my angst with Insecure by Default votes. Most involved with NERC CIP will tell you that many requirements were reduced in rigor so the standard would pass rather than because it was what the drafting committee agreed was best.
I admit that we have a few unique advantages at Digital Bond in this decision. We have a way of getting content to the community through the blog, subscriber tools, SCADApedia, … We also have minimal restrictions in releasing this type of information. Many asset owners and vendor security resources find these standards efforts as one of the few public areas they can contribute in.
I regrettably conclude that our pro bono time is better spend developing that content and tools than slogging through the standards process. This is not meant to devalue those documents; they are needed and we will continue to track them. Unfortunately, the pace and results per hour spent are much lower than other available options.
Author: Dale Peterson
Posted: May 5th, 2008 under Standards & Orgs, Uncategorized.
Comments: 3
Comments
Comment from Ralph Langner
Time: May 5, 2008, 2:36 pm
No doubt a handfull of commited experts, free of political bindings of any kind, can produce results much more efficiently than any standards body. The question remains, however, who will be able to generate the bigger impact in the long run. I believe playing both tables is the strategy of choice, with the emphasis on pushing the envelope in the area where you can.
Comment from Bryan L Singer
Time: May 6, 2008, 10:27 am
This is a great place to bring up the safety parallel again. Ralph’s question is well posed, which does have a longer term effect? While free development of tools and documentation indeed does produce some short term benefits, the results are short lived and soon forgotten in many cases, and without the industry vetting required of such activities, they often have inconsistencies and experience inapplicability in other areas. In other words, the quality of the tools and techniques are limited by the very few people that are working on the tool.
Standards do indeed move slow, but they also imply that a lot more input and perspectives can be considered. While I won’t comment about the NERC process, there are reasons why that happened and there are also reasons why the ISA-99 effort and others have not suffered the same types of problems. The NIST 800-53 documents are a great example where this has precisely NOT happened.
Think about safety… in the 80’s and 90’s industry saw a rise in hardware and software failures due to logic and programming faults in the programs. A number of companies surely addresses this issue on their own then, too. While some great work was surely done, a lot has moved on as forgotten to history. But, hopefully the best of those lessens were worked back into the standard and the end result is that we now have a widely accepted and robust set of safety standards and legislation.
Candidly… While I appreciate open discourse, I think questioning the process is a bit dangerous. Of course I do have (as one of the chairs of ISA-99) a lot of sweat equity built into the process. But, having started this back in 2001/2 and previous work in ISA-88 and 95, I can say that we do see the benefit. I can look back to words and approaches a number of us started back at that time that are now commonly accepted. Subtle, in many cases, but we can see where the efforts have resulted in more consistency of terminology, understanding of risk, and acceptable views on the issues. Look at that ISA-99 master glossary. We went from chaos in uses of even simple terms to where now most of our industry is using a lot of these terms in similar ways. BTW: This is because we all collectively agreed to use this approach, not just ISA-99.
At the end of the day, its not an “either-or” but a “both-and.” We need to keep moving the ball forward in standards, and we all have a responsibility to willingly accept some things that may be a bit difficult to do at the beginning. We all have a responsibility to drive and innovate, and we also have a responsibility to help the rest of the industry by submitting these activities into the standard. Some great examples include the ISA-99 zone/conduit model, the beginnings of the SAL levels, terminology, risk evaluation techniques, etc. We rarely start from scratch. Rather we collect the best available material and then work through the consensus based process to make the best c
As a final note: Failure to take action or reducing a process to the lowest common denominator because of fear of dealing with hard issues is absolutely inexcusable.
Comment from Ron Southworth
Time: May 6, 2008, 6:56 pm
Hi Bryan,
Some good words all round.
Another way to describe what you are saying is perhaps for industry to make more use of “guidelines”.
With Security, Standards they should be about principals and methodologies as these will not evolve or change too rapidly we know the rigour involved in changing standards is fairly and necesarily exhaustive.
Guidelines can be more short lived like you have described and keep pace with the changeing landscape.
Write a comment