Last week the US Government published the Preliminary Critical Infrastructure System Cybersecurity Performance Goals and Objectives that included nine categories of recommended practices. Last week the US Government also published a draft of SP1800-10 Protecting Information and System Integrity in Industrial Control System Environments: Cybersecurity for the Manufacturing Sector.
These are on top a growing list of recent US Government guidance and requirements that are only partially listed below (note this does not include the Department of Energy and other sector specific agency documents). There are also a growing number of European, Australian and other government standards and guidelines that will affect asset owners in their respective countries.
Then there are the industry standards. The pipeline industry has the new API 1164 Version 3 standard, on top of the new TSA requirements for US owner operators. IEC 62433 has a large and growing page count of standards and guidelines on ICS security. AWWA has guidance for water and wastewater. Automotive has its standards…
At this point, asset owners are awash in information that is largely duplicative, as the crosswalk documents, yet more documents, seem to indicate. Is the fact that the documents are essentially saying to implement similar controls a good or bad thing?
A Good Thing
There seems to be consensus amongst standards and guideline authors and organizations on the security controls that should be implemented, maintained and audited. If you use one document there is a good chance you are meeting 80% of another document and the 20% gap would not be hard to close.
A Bad Thing
If there is an actual need for all these different documents, then why are they so similar in security controls? And are we suffering from groupthink? And is something that is a consensus of decade old practices really how we are going to create the future in OT and ICS security?
Four years ago it looked like the NIST Cyber Security Framework (CSF) was going to be the one document that ruled them all, at least in the US. Companies could point to their NIST CSF current profile, target profile, and implementation tier. It could be used for IT and OT. And in OT it could be used for refineries, pipelines, power plants, factories, and any other sector.
A consistent CSF approach and documentation could be useful for regulators, insurance/reinsurance, the financial markets, executive management, peer comparisons and more.
If a sector believed they were unique they could create a sector profile and some had done that directly rather than through crosswalk documents.
The high profile DHS CISA documents issued in 2021 are stepping away from the NIST CSF and adding confusion for asset owners as to what standard or guideline to base their OT cybersecurity program around. Do I use the NIST CSF five functions and subcategories? The just released Goals and Objectives nine categories? Do I use the CISA ICS Recommended Practices eight areas? Do I use the 19 categories of security controls in NIST SP800-82? Or do I look to my sector specific agency such as DoE, TSA, EPA?
I never thought I would write the next sentence. The bulk electric system might be lucky that they have clear security requirements (or at least a single set of requirements) in the NERC CIP documents