Wednesday, April 3, 2013

SGSB notes from NIST's Critical Infrastructure Cybersecurity Framework Workshop

Long title, eh?  Cranking this out just before heading back to Beantown from DC/Reagan airport so please be more tolerant than usual of typo's, lack of narrative, lack of clarity, weak grammar, lack of a point, etc. ...

ICS-ISAC Chair Chris Blask, pictured above (long hair on right), waited very patiently at a microphone that seemed like it was for audience use, and ultimately got his turn, in which he asked a long question phrased like a long statement.

Today was a good day. There was lots of Tweeting was going on, even though the wireless service in the Dept of Commerce was highly sub-optimal. As one fellow attendee observed, "it's not bad because of security, it's just bad." You can find those tweets, many happy, some helpful, a couple cheeky and a few angry for some reason, using the #NISTCSF hashtag.

As the format didn't encourage much audience participation, I might have been just as happy if not slightly happier if I had "attended remotely" via Webcast  I was able to oversize my modest social skills with friends and acquaintances from FERC, NIST, DOE, DHS, UTC, and more than a few companies. 

Anyway, my 2 centavos:

While public-private partnerships sound good on paper, and can produce good results, they can also produce nothing, disguised as activity. Nevertheless, this work may produce results for the electric sector, and if it does, I think you'll see them in some or all of the following categories:

1) Incentives

Tax relief, liability limits, making it easier for crit infra co's to generate the money to fund newer/bigger security investments. I think we're all pulling for this, but the devil will be in the sausage making.

2) Sourcing & Acquisition

Crafting minimum security requirements for systems and software purchases going forward. Won't secure what's in the field, but will drive improvement over time. Super thorny issue, though, right? IBM practices "secure by design" processes in its software products. And recommend it to others. Also see IEC 62443 2-4 where a very large US utility and security boutique Wurldtech collaborated to make security maturity guidelines for sourcing grid products. That could be one helpful precedent.

3) Security Metrics

One of my favorite topics of course. Can't show improvement if we can't describe current state. Once you can baseline then you can find gaps and roadmap to an improved future state. 

4) Cyber Hygiene

Repeated throughout was how 80-90 % of data breaches are from the most primitive/basic types of phishing attacks. Users clicking on links in emails, as NERC's Tim Roxey, who was far and away the brightest star in a very high caliber group of panelists, said, "like rats on crack." So this is about user awareness and basic cybersecurity 101 stuff. Not high tech. But if it could be implemented broadly, would eliminate majority of breaches.

5) Info Sharing

Making it easier for crit info co's to collaborate by giving certain privacy and other protections.

Please note that after RFI responses are in (deadline: April 8) and digested, another workshop (there will be 3) leading up to the October milestone will be at CMU in Pittsburgh right after the Memorial Day weekend in late May. I'll endeavor to be there, either in person and via the marvel of the Internet, will make my contributions, and report back out to you here.  Now got to go ... they're boarding !!!


Anonymous said...

Regarding attending the meeting remotely via Webcast: You were lucky you didn't try. The "Webcast" had no video, no audio but, was a transcription of what was being said using a very bad VR function. If it wasn't so tragic and futile, it would have been funny. At one point a speaker said "...the important topic of Cyber Sick Erie." The experience of using the "Webcast" was painful.

Andy Bochman said...

Sorry hear that about the webcast quality. I got a different impression from some others. Maybe there was some variation depending on your system or something? Anyway, it would be good for the NIST folks to know it didn't work for everyone. Thanks for saying so.

Anonymous said...

Not so sure why Anonymous couldn't get audio or video--mine worked--although with a little lag from time to time. Enjoyed Tim Roxey's comments as well.

Anonymous said...

Really enjoy your blog, great stuff. I see you reference IEC 62443 2-4. What are you thoughts on IEC 62443 4-2 (or ISA 99.03.03)? Do you have any insight on movement with IEC 62443 4-2 or the ISA 99.03.03 standard itself (as I believe it's currently a draft). Lastly have you heard of any utilities adopting/enforcing ISA 99.03.03 requirements or ISASecure certification on their vendors?

Anonymous said...

thanks for share....

Amos said...

This is cool!