Les wrote in and shared some of what he recommended to NIST and DOE regarding the recent RFI on the "Framework for Reducing Cyber Risks to Critical Infrastructure."
I'm not going to reprint the entirety of his submission, but will share with you two things here. First, Les' articulation of the need for a way to keep complexity in check as we go about this search for a new/better security framework for our community:
I would like to address ... "the "elephant in the room" ... [that could hinder our achievement of] a Digital Systems Security (DSS) Cybersecurity standard across the US Utility spectrum. That issue is the "expanding redundant complexity" of the current approach to the problem domain. While one can appreciate the efforts [involved] in gathering more information from the industry ... for establishing and improving frameworks to raise the overall level of cybersecurity ..., the problem is that it does not address the inherent complexity of the problem. It only exacerbates it by creating yet more administrative requirements for decomposing and resolving the problem domain for each utility.I think he's on to something. There's more text clarifying the challenge and then some words on what Les proposes could play a major role in the final solution: DHS' own Cyber Security Evaluation Tool (CSET). The department has put together a nice succinct info sheet on CSET, so rather than telling you more about it, I suggest you read it for yourself, which you can do HERE.
I've got some learning to do myself on this, but in the meantime, please let me know if you think CSET has a role to play in this grand challenge.