Executive Order 13636 requires, among other things, the National Institute of Standards and Technology (NIST) to develop a “Baseline Framework to Reduce Cyber Risk to Critical Infrastructure.” There is a lot of good detail as to what is expected to be in this framework, whose requirements run to a full page. Recently, NIST hosted its first Cybersecurity Framework Workshop to address those necessities. This particular workshop resulted from the following specific requirement: “In developing the Cybersecurity Framework, the Director shall engage in an open public review and comment process.” The director of NIST must deliver a framework within 1 year of the publication of the Executive Order (EO); that is, no later than February 19, 2014.
I’m not sure what a framework workshop is, or how many times the word “work” must appear in a meeting title before people will believe that you plan to accomplish something. At any rate, over 700 people attended the workshop ‑ quite large to qualify as a workshop. Living in the Dallas-Fort Worth area, I remember years when the Texas Rangers could barely get 700 people to attend their baseball games (unless Nolan Ryan was pitching). Besides, here in Texas, anything with 700 members is usually called a herd.
Whatever you call it, this event was important. Strictly speaking, the 700 workshop attendees were allowed to comment, but the EO only requires the Secretary of Homeland Security to “engage and consider” their advice. Based upon past experience, the likelihood of their input being ignored is very low.
I may be a bit skeptical here because I’ve watched the North American Electric Reliability Corp. (NERC) labor to adopt seemingly minor clarifications to the CIP Reliability Standards (which it then invalidates). It has repeatedly been hamstrung by large attendee lists that include sometimes contradictory agendas. Anyway, quoting the EO, 9 months from now we shall have:
- A prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk
- Methodologies to identify and mitigate impacts of the Cybersecurity Framework … on business confidentiality, and to protect individual privacy and civil liberties
After that, quoting Section 8(a) of the EO, “The Secretary, in coordination with Sector-Specific Agencies, shall establish a voluntary program to support the adoption of the Cybersecurity Framework by owners and operators of critical infrastructure and any other interested entities.”
In other words, 1 year to develop a framework of non-binding recommendations for the protection of critical infrastructure. Here in the smart grid world, we already have that. It’s called the NISTIR 7628 series. So maybe it’s a very good call to have NIST run this play. But you’d have to accept that critical infrastructure owners will spend money on protection that they are not required to spend. To date, that trend is not encouraging.
Tags: Cybersecurity, Industry Standards, Policy & Regulation, Smart Grid Security, Smart Utilities Program
| No Comments »