Good thing too, cause the electricity generating, transmitting (if not yet, distributing) industry is being pulled in two seemingly opposing directions: on one hand, the desire the demonstrate compliance with CIPS 002-009; while on the other, high anxiety that:
- CIPS 010 and 011 are much different than 002-009 (see summary from James Holler here) and unless they're phased in VERY gradually, that means trouble
- The new CIPS are based largely on security control standards like those in NIST SP 800-53 "Recommended Security Controls for Federal Information Systems and Organizations." Again, a whole different enchilada in terms of detail than what's in 002-009
- This will force huge changes (and likely, commensurate new expenses) for utilities trying make the best of limited human resources, time and funds
Weatherford began his career as a Naval Cryptologic Officer, where he led the Navy’s Computer Network Defense operations and the Naval Computer Incident Response Team. Weatherford has a bachelor’s degree from the University of Arizona and a master’s degree from the Naval Postgraduate School.One thing we've seen in our talks with CISOs and other security professionals in the utilities and ISO/RTOs is the prevalence of prior military (though not always Naval) experience, including folks who did crypto and other cyber security related jobs when they were slightly less "seasoned."
Well, as you'll see from Holler's summary, if not your own hands-on experience in the compliance trenches, it may well be a rough ride moving from the relatively light-weight original CIPS, which really just went fully live on 1 Jan of this year, to the industrial strength 010 and 011. I for one am pulling for Mark to do a great job and wish him every success. We all have a job to do, but his is a key role in this.
No comments:
Post a Comment