The first potentially successful effort in the US to have a control system security standard that had must and shall requirements and an audit plan was NERC CIP for the electric sector. The standards were first written broadly with general security requirements that could be met with a number of implementation choices that a security team could make. Basically the CIP’s required the elements of a sound control system cyber security program, but they left a lot of room of discretion, which utilities could exploit to avoid implementing security if that was their goal. This approach made sense when it was a NERC program of self regulation by utilities, not a US Government regulatory program.
The Energy Act changed all that and now with have FERC, ERO and a desire to get more specific and allow less judgement. This is challenging because it is a very different approach than the original text, but not impossible.
There has been a drumbeat from some big voices in the community, that is now echoed by some in Congress, that we all should use NIST’s SP800-53. It’s better, would result in higher security they say. It will solve all the standard problems that exist with CIP. While SP800-53 would have been a reasonable choice for NERC or any other sector to start with, changing the CIP’s to a SP800-53 based approach is going to be a highly inefficient use of resources that could be used to improve security rather than all new terms, methodologies, etc.
And a paper exercise built around SP800-53 is not solving all the problems or going so well after years of efforts. In fact, the US Government recently said just that in their proposed changes to FISMA, the Federal Information Security Management Act of 2002. FISMA today requires Federal agencies to select and implement appropriate security controls from SP800-53 after a risk assessment.
There is a good summary article on the proposed changes to FISMA in Information Week, but this paragraph on the cost of the effort with emphasis on the documentation that sounds eerily like what electric utilities are saying:
Agencies have been spending as much as $1,400 per page on those reports under requirements of the Federal Information Systems Management Act. The Department of State alone has spent $133 million in the last six years just on FISMA compliance. However, numerous questions continue to arise about the effectiveness of agencies’ cybersecurity efforts. That kind of waste has led to simultaneous moves by the White House, the National Institute for Standards and Technology (which has power to set FISMA standards), and Congress to overhaul or refocus FISMA and other federal cybersecurity requirements.
Is the move to a NIST SP800-53 paper exercise really going to be worth losing all the training and momentum around a different paper exercise? My answer is no. Maybe we should look at what the Federal Government is seeing as deficiencies in the paper approach and trying to move towards continuous monitoring and better security benchmarks.
The purpose of this post is not to critique FISMA and SP800-53. If you want that I suggest you read Richard Bejtlich’s writings on the subject over the last five years and on the recent memo discussing changes. He is very skeptical, to put it mildly, of the value of the FISMA paper exercise to truly improving security as well as the proposed changes.
Instead, the purpose of my post is to point out that SP800-53 is not the cure all it is being portrayed as vis-a-vis NERC CIP. $1,400 per report page? And the government only got a C grade in 2009, up from a C- in 2008. And many government agencies get D’s and F’s. And do we believe the grades when an organization goes from a B one year to an F the next, and vice versa?There are questions whether a good grade actually means better security or better documentation. Maybe the next gen NERC CIP’s and other sectors looking at developing standards should look hard at where FISMA is failing and different approaches rather than look at adopting the current Federal approach as utopia.