By Scott Saunders, Sacramento Municipal Utility District
A session at the inaugural Smart Grid Interoperability Panel meeting in 2013 included a presentation from several electricity subsector representatives regarding President Obama’s Executive Order (EO) 13636: Improving Critical Infrastructure Cybersecurity.
The EO was issued Feb. 12, 2013, as part of the State of the Union address.
The EO identified activities for the Department of Homeland Security (DHS) and the Department of Commerce to partner with the representatives from each of the 16 critical infrastructure sectors: chemical, commercial facilities, communications, critical manufacturing, dams, defense industrial base, emergency services, energy, financial services, food and agriculture, government facilities, health care and public health, information technology, nuclear reactors, materials, transportation systems and water and wastewater systems to improve cybersecurity practices.
In particular, Section 7 of the EO requires the director of the National Institute of Standards and Technology (NIST) to develop a “baseline Framework to reduce cyber risk to Critical Infrastructure (Cybersecurity Framework).”
In addition, Section 8 requires the DHS secretary to establish a voluntary program along with incentives for critical infrastructure owners and operators to adopt the Cybersecurity Framework.
After four public workshops, NIST opened a 45-day public comment period for the Draft Cybersecurity Framework. The initial reactions to the first full draft have been positive. It is obvious from the published draft that NIST has been taking in all of the comments from the various working groups and incorporating them to the extent possible.
Early in the process, electricity subsector participants have been concerned about how the existing mandatory and enforceable regulation regime through the North American Electric Reliability Corp. (NERC) Critical Infrastructure Protection (CIP) standards would be coalesced with the Cybersecurity Framework. In addition, industry provided to NIST the Department of Energy Risk Management Process (RMP) and Electricity Subsector—Cybersecurity Capability Maturity Model (ES-C2m2) risk guidelines. These two guidelines have been adopted by industry as part of the sector cyber risk management programs.
The structure of the Cybersecurity Framework includes five functions: identify, protect, detect, respond and recover. Within each of the functions are a number of categories and subcategories that contain the actual cybersecurity practices. The last component of the Cybersecurity Framework is a listing of informative references that can be used for implementing the subcategory practices. For the informative references, NIST has chosen a subset of guidelines and standards that are common across all of the critical infrastructure sectors:
- ISA 99–Security for Industrial Automation and Control Systems: Establishing an Industrial Automation and Control Systems Security Program;
- Control Objectives for Information and Related Technology (COBIT);
- ISO/IEC 27001, Information Technology–Security techniques–Information Security Management Systems;
- NIST Special Publication 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations; and
- Council on CyberSecurity (CCS)–formerly SANS–Top 20 Critical Security Controls.
The energy sector has provided initial comments that the informative references within the Cybersecurity Framework Core also should include mandatory cyber regulations, not just voluntary guidelines.
There continue to be questions from industry on the next steps for the Cybersecurity Framework. Specifically, under Section 8 of the EO, the DHS is required to implement a voluntary program to support the adoption of the Cybersecurity Framework. It has been unclear what “adoption” means, especially to a regulated sector such as energy. Because the electricity subsector already has existing standards and guidelines, there has been a question whether the implementation of those programs constitutes “adoption.” DHS has just started to put together a working group with industry and federal parties to begin the discussion on what adoption means. Coupled with the questions on adoption are outstanding questions regarding what incentives will be available and how the incentives align with participation in the voluntary program. It remains unclear if there will be self-certifications, third-party conformity assessments or industry peer reviews.
The formal comment period ended Dec. 13, 2013, and NIST is required by the EO to publish the final Cybersecurity Framework in February 2014. In the November 2013 workshop in Raleigh, N.C., NIST made it clear that the Framework published in February 2014 is just Version 1. NIST has asked critical infrastructure organizations to start using and integrating the Cybersecurity Framework now to develop lessons learned that can influence the next version of the Cybersecurity Framework.
Scott Saunders is chief information security officer of Sacramento Municipal Utility District.