Monday, March 4, 2013

DHS' CSET: a Remedy for Electric Sector Security Measurement and Reporting Complexity Pains?

Sorry about that ridiculously long title, but felt it couldn't be helped this time. Thanks to Dr. Les Cardwell of Central Lincoln PUD, a publicly owned utility serving communities on the coast of Oregon.

Les wrote in and shared some of what he recommended to NIST and DOE regarding the recent RFI on the "Framework for Reducing Cyber Risks to Critical Infrastructure."

I'm not going to reprint the entirety of his submission, but will share with you two things here. First, Les' articulation of the need for a way to keep complexity in check as we go about this search for a new/better security framework for our community:

I would like to address ... "the "elephant in the room" ... [that could hinder our achievement of] a Digital Systems Security (DSS) Cybersecurity standard across the US Utility spectrum. That issue is the "expanding redundant complexity" of the current approach to the problem domain. While one can appreciate the efforts [involved] in gathering more information from the industry ... for establishing and improving frameworks to raise the overall level of cybersecurity ..., the problem is that it does not address the inherent complexity of the problem. It only exacerbates it by creating yet more administrative requirements for decomposing and resolving the problem domain for each utility.
I think he's on to something. There's more text clarifying the challenge and then some words on what Les proposes could play a major role in the final solution: DHS' own Cyber Security Evaluation Tool (CSET). The department has put together a nice succinct info sheet on CSET, so rather than telling you more about it, I suggest you read it for yourself, which you can do HERE.

I've got some learning to do myself on this, but in the meantime, please let me know if you think CSET has a role to play in this grand challenge.

2 comments:

Anonymous said...

It most certainly has a role to play. It's essentially the only set of self evaluation tools available for utilities to use to ascertain some level of awareness of their cybersecurity positions, defenses, and vulnerabilities. Getting utilities to care, be aware of, and use this, in light of NERC CIP compliance and uncertainty of regulatory proceedings given recent Cyber EOs and new PPDs on infrastructure is an entirely other ball of wax. Advocacy and demonstration / sharing of CSET evaluations between government and private sector entities is a start, but as many are neck deep in vulnerability assessments across other sectors of their business, cyber remains only ankle deep. We need to gather and share information and if DHS has a tool to help do that, CSET should be used to facilitate that info gathering and sharing mechanism that needs to be developed.

Ben said...

Oh, boy... yet another framework... hurray... #UGH

Here's a better question: What *is* the problem space? It seems the USG is exceedingly eager to flog CIP with various frameworks and requirements, but - as per usual - nobody has bothered to actually define the "problem" that's being "solved." I submit that until this is done, all of these efforts are a complete waste of time.

And, incidentally, "being secure" or "applying security" is *not* a problem space definition. It needs to be cast in terms of desired measurable outcomes, and it must look at who the stakeholders are, what they can reasonably do, and so on.

Color me skeptical and unamused...