I’ve been involved to varying degrees with security standards efforts for way too long now – – almost twenty years. Most recently with the ISA 99 Part 4 effort. For a while I was actively involved in that effort in support of a contract with Wurldtech. When Bryan Singer joined Wurldtech that did not make sense any more for obvious reasons, so at that point it was one of many possible pro bono activities. Since then I have been only minimally involved, lurking in an occasional weekly conference call and looking at some of the documents.
So the question we are asking internally was and is: Is actively contributing to ISA 99 Part 4 or another control system security standard the most efficient use of our pro bono time to move the control system security effort forward? This question came up again with the NERC call for technical experts to help with CIP revisions.
Another question is whether a consensus standard that passes a vote is a worthy security document. Is it a representation of good security practice or a least common denominator? I have written before about my angst with Insecure by Default votes. Most involved with NERC CIP will tell you that many requirements were reduced in rigor so the standard would pass rather than because it was what the drafting committee agreed was best.
I admit that we have a few unique advantages at Digital Bond in this decision. We have a way of getting content to the community through the blog, subscriber tools, SCADApedia, … We also have minimal restrictions in releasing this type of information. Many asset owners and vendor security resources find these standards efforts as one of the few public areas they can contribute in.
I regrettably conclude that our pro bono time is better spend developing that content and tools than slogging through the standards process. This is not meant to devalue those documents; they are needed and we will continue to track them. Unfortunately, the pace and results per hour spent are much lower than other available options.