Will the NIST approach to the Executive Order actually support Industrial Control Systems (ICSs)?

July 15, 2013

I have been involved with NIST to one degree or other on ICS cyber security since 2000 and on other technical issues long before that. I have done this as I firmly believed NIST was the best independent organization to be able to develop ICS cyber security standards. Unfortunately, I can no longer say that in good faith.

I have been involved with NIST to one degree or other on ICS cyber security since 2000 and on other technical issues long before that. I have done this as I firmly believed NIST was the best independent organization to be able to develop ICS cyber security standards. Unfortunately, I can no longer say that in good faith.

Background
While at EPRI in 2000, NIST's Ron Ross, Stu Katzky, Jerry Fitzpatrick and Al Wavering, and I helped start the Process Control Security Requirements Forum which eventually morphed into ISA99. I helped provide input to the original version of NIST SP800-82. Marshall Abrams from MITRE and I helped develop NIST SP800-53, Appendix I by doing detailed analyses on several actual control system cyber incidents. The detailed analysis of the Olympic Pipeline Company gasoline pipeline rupture in Bellingham, WA is not only one of the most comprehensive detailed analyses of an ICS cyber incident to date, it also provided the confirmation that the 2010 PG&E San Bruno natural gas pipeline rupture was a ICS cyber incident.

A group of us, Keith Stouffer from NIST, Marshall Abrams from MITRE, Dave Norton, then of Entergy and now of FERC, and I did the first detailed cross comparison between NIST SP800-53 and the NERC CIPs. In 2007, our team of Marshall, Ron, and I were also approached by a plant control system engineer to do the first detailed benchmark of how NIST SP800-53 could be applied in a real case. Unfortunately, the utility's Corporate security management prevented that project from occurring. In October 2007, I testified to the House Homeland Security and Emerging Threats Subcommittee that the NIST approach was superior to the NERC CIP approach and would be on the same order of magnitude of cost. I was crucified by NERC and industry for putting my neck out for NIST.

Through no fault of NIST, NIST's technical approach dealing with ICS cyber security changed with the Smart Grid Cyber Security efforts. That was because Congress mandated NIST to oversee, not actually develop, Smart Grid cyber security and interoperability standards. From an ICS cyber security perspective, it was not a success. Fast forward to the current Executive Order. I met with a number of NIST senior staff in February at RSA. Suffice it to say, there was not a clear understanding by them of what makes ICSs different. I watched the first NIST industry session from NIST's Gaithersburg facilities via video and was appalled by the lack of ICS knowledge or formal participation. On 12 Jul 2013 11:22 AM PDT, IBM's Andy Bochman posted the Smart Grid Security Blog about the third NIST meeting held in San Diego with the title being "NIST Thinking about Cyber Security for Critical Infrastructure Company Boards and CEOs". I sent Andy a note and received the following response:

"Good morning Joe. I think it's a good thing you weren't in SD. Would have made you crazy for the near complete absence of anything related to control systems thinking... Andy"

I feel like a broken record saying the system is broken. Are the politics so thick that NIST cannot do a better job of providing appropriate ICS cyber security guidance than they did with Smart Grid?
Joe Weiss

Sponsored Recommendations

Make Effortless HMI and PLC Modifications from Anywhere

The tiny EZminiWiFi is a godsend for the plant maintenance engineers who need to make a minor modification to the HMI program or, for that matter, the PLC program. It's very easy...

The Benefits of Using American-Made Automation Products

Discover the benefits of American-made automation products, including stable pricing, faster delivery, and innovative features tailored to real-world applications. With superior...

50 Years of Automation Innovation and What to Expect Next

Over the past 50 years, the automation technology landscape has changed dramatically, but many of the underlying industry needs remain unchanged. To learn more about what’s changed...

Manufacturing Marvels Highlights Why EZAutomation Is a Force to Be Reckoned With

Watch EZAutomation's recent feature on the popular FOX Network series "Manufacturing Marvels" and discover what makes them a force to be reckoned with in industrial automation...