1. Home

Why should federal power agencies be held to a higher cyber security standard?

July 16, 2007

FISMA is the Federal Information Security Management Act. It is mandatory by federal law for all federal agencies. The controls document for implementing FISMA is NIST Special Publication (SP) 800-53. NIST SP800-53 was developed for IT systems. However, federal agencies including TVA, BPA, WAPA, the Bureau of Reclamation, and the Army Corps of Engineers utilize industrial control systems (ICSs). Consequently, NIST SP800-53 has been extended to address industrial c...

FISMA is the Federal Information Security Management Act. It is mandatory by federal law for all federal agencies. The controls document for implementing FISMA is NIST Special Publication (SP) 800-53. NIST SP800-53 was developed for IT systems. However, federal agencies including TVA, BPA, WAPA, the Bureau of Reclamation, and the Army Corps of Engineers utilize industrial control systems (ICSs). Consequently, NIST SP800-53 has been extended to address industrial control systems and is currently open for public comment (see the FISMA/ICS website: http://csrc.nist.gov/sec-cert/ics/draft-ics-interpretation_SP800-53.html).

A line-by-line comparison was made between NIST SP800-53 and the NERC CIPs with NIST SP800-53 identified as being more comprehensive. Consequently, federal agencies are being held to a higher standard than non-federal utilities that only have to meet the NERC CIPs. The electric industry is unique with the interconnections between utilities leading to the "weakest link in the chain" phenomena potentially being another utility. This means it is possible for a non-federal utility to compromise a federal utility because of the less restrictive NERC CIP standards. The FERC Staff Assessment of the NERC CIP Standards (RM06-22-000 issued December 11, 2006) already has pointed this out.

When the utility industry approved the NERC CIPs, NERC was an industry-sponsored organization. However, NERC is now the Electric Reliability Organization as established by the Federal Energy Policy Act of 2005. Consequently, one can ask why NERC is not making NIST SP800-53 mandatory for all utilities.  The federal power agencies are already in the process of implementing NIST SP800-53 and NIST SP800-53 has been shown to be more comprehensive than the NERC CIPs.

There will be a presentation on how NIST SP800-53 could have prevented an actual cyber event (one which the NERC CIPs could not) at the August Knoxville Control System Cyber Security Workshop and the subsequent NIST Workshop will focus on implementing NIST SP800-53.

Joe Weiss

Continue Reading

Sponsored Recommendations

Make Effortless HMI and PLC Modifications from Anywhere

The tiny EZminiWiFi is a godsend for the plant maintenance engineers who need to make a minor modification to the HMI program or, for that matter, the PLC program. It's very easy...

The Benefits of Using American-Made Automation Products

Discover the benefits of American-made automation products, including stable pricing, faster delivery, and innovative features tailored to real-world applications. With superior...

50 Years of Automation Innovation and What to Expect Next

Over the past 50 years, the automation technology landscape has changed dramatically, but many of the underlying industry needs remain unchanged. To learn more about what’s changed...

Manufacturing Marvels Highlights Why EZAutomation Is a Force to Be Reckoned With

Watch EZAutomation's recent feature on the popular FOX Network series "Manufacturing Marvels" and discover what makes them a force to be reckoned with in industrial automation...

Latest from Home

Source: Arthur G. Russell
In system integrator Arthur G. Russell’s R&D and mock-up area in Bristol, Conn., senior R&D engineer Jerry Buchas adjusts a robot-actuated loader that brings a client’s product to the proper location in a case, so its end-of-arm tooling (EOT) with an attached actuator can push the product into place. AGR helps customers develop, test, and derisk their designs and requirements for new end-products and production systems. Its clients want to derisk because shorter product lifecycles and increasing demand for variety are compressing development and commissioning schedules.
OT security concept
Engineer is walking up spiral staircase to working on top of fuel tank

Most Read

Sponsored