Jason touched on the growing frustration with NERC CIP, and the realization that in many ways the CIP mandated compliance focus is actually impeding security progress. Joe Weiss has led the charge that CIP should be replaced with NIST SP800-53, but this comes as the government is realizing SP800-53 is a huge paperwork exercise that has not markedly improved security.
The question I keep getting from reporters chasing Stuxnet is “What regulation is required to prevent Stuxnet?.” Of course, this is a bad question, but it has led me to think about and ask: what, if any, control system cyber security regulation would efficiently improve security?
Here is my answer: there should be a set of security requirements for applications and devices that are used in control systems that fall into a critical infrastructure category. For example, if you are going to use a field device in a critical infrastructure control system it must:
- require source and data authentication for firmware uploads, process/program changes, all writes, …
- log all security related activity
- support multiple user logins and role based authorization
I have been surprised that most of the regulatory burden has fallen on owner/operators. Some has blown back to vendors in creating documentation of ports/services, getting CIP training, etc., but very little has been forced on them in terms of product.
The problem with the suggested approach is agreeing on the list of security features required in a device or application. My preference is to keep the list short by identifying and focusing on the most important security features. It admittedly would not be complete, but the trade off is it would be easier for vendors to meet these requirements and security improvement would be accelerated. We could struggle to identify the perfect security requirements for a field device, like we did in the Field Device Protection Profile for PCSRF, but how long would we have to wait for products?
What if we could say that all field devices must support the top five security features that a regulatory body or standards body agreed on? It would be a huge improvement in security in an area that has seen almost no improvement in a decade. Replacing legacy field devices would be hugely expensive and need to have a reasonable timetable, but I contend it is a lot better use of resources than current regulatory efforts.
What regulation do you think would efficiently improve security in critical infrastructure control systems?