Thursday, September 9, 2010

SANS Sounds Off on NIST and NISTIR 7628 1.0

Because it's a little hard to find unless you were already a subscriber to the online newsletter, here's a short piece from SANS NewsBites, Sep 07, 2010 edition re: the announcement that NISTIR 7628 1.0 is final.

For those not in the know, this SANS is not "without" in French. Wikipedia's description does the job:

The SANS Institute, founded in 1989, provides computer security training, professional certification through GIAC (Global Information Assurance Certification), and a research archive - the SANS Reading Room. It also operates the Internet Storm Center, an Internet monitoring system staffed by a global community of security practitioners. The trade name SANS (deriving from SysAdmin, Audit, Networking, and Security) belongs to the for-profit Escal Institute of Advanced Technologies.
The National Institute of Standards and Technology (NIST) has published "Guidelines for Smart Grid Cyber Security," a three-volume, 537-page report aimed at "facilitating organization-specific Smart Grid cyber security strategies focused on prevention, detection, response and recovery." The publication includes "high-level security requirements, a framework for assessing risks, an evaluation of privacy issues at personal residences, and additional information for businesses and organizations to use as they craft strategies to protect the modernizing power grid from attacks, malicious code, cascading errors and other threats."

Now you get three points of view from NewsBites contributing editors Tom Liston of InGuardians, John Pescatore of Gartner, and SANS own Allan Paller. Note, Pescatore, and, in particular, Paller, slam NIST pretty hard for getting the guidance out bass ackwards (burying the most helpful parts at the end of the report):
Liston: Unfortunately, "smart grid" is just the latest in a series of technologies that have been deployed with security as an afterthought. While I applaud any effort to better secure our infrastructure, it's a bit late to talk about "security strategies" at this stage of the game. The key question is whether some of the quite-sound recommendations can be retrofit into the existing deployment models. 
Pescatore: There is still an opportunity for better security to be built-in to the smart grid build out, vs. try to pretend a compliance regime like NERC/CIP will force it in later. Section 7 of the third volume has a good attack surface analysis that should be a starting point. 
Paller: John Pescatore's comment illustrates one reason that this NIST document and others like 800-53 are exacerbating the nation's cyber risk instead of helping to mitigate the risk. NIST buried the critical information (the attack surface) in the 7th chapter of the third volume (after lengthy, but non-specific descriptions of 197 separate controls in more than 350 pages).
Paller (cont): A central tenet of effective security is that offense informs defense. In other words, do the most important things first! That means guidance must start with, and be organized around, the attack surface; and guidance must be prioritized according to risk from each attack vector. Which of the 197 recommendations matters most? Which must be implemented first? How will we know that they were implemented effectively? If NIST doesn't know the answers to those basic questions, what are they doing writing guidance? For failing to prioritize the guidance, and for burying readers in information of little immediate consequence, NIST earns a grade of "D" on its new report.
Here's a LINK to third volume if you want to check out chapter 7. Begins on page 29.

I definitely support the editors' point that once again, we're seeking to add security after most of the horses have left the barn. Goes against the popular security mantras of the day: "Secure by Design, "Build Security In," etc. Though not sure how this could have played out otherwise.

I'd be interested in hearing a candid NIST response to this criticism. They worked fast and furious for a long time bringing 7628 together and there's a lot of goodness in it. I saw some of that process first-hand as an early (albeit very infrequent) contributor. In terms of how they structured it in the end and what they chose to emphasize, there was definitely a method to their madness.

No comments: