Quick Take: Along with so many others, I’ve been encouraging utilities to take cybersecurity more seriously. So when I heard that NEMA’s Paul Molitor was attending an important NIST cybersecurity workshop, I asked him if he would share the outcomes.
In a nutshell: You have one last chance to comment on the NIST security framework before it is published. After that, utilities will be “encouraged” to follow its guidance. Although compliance will not be mandatory, I believe it will quickly become a CYB (cover your backside) necessity. Can you imagine the uproar if a utility suffers a major cybersecurity event and it is discovered that it ignored NIST guidelines that could have prevented the situation? – By Jesse Berst
By Paul Molitor
On September 13, 2013, NIST concluded the last of four Cybersecurity Framework Workshops leading to the release of a document designed to meet the agency’s obligation under the order. The August 28, 2013 discussion draft of the framework used during the workshop is composed of three parts:
- The Framework Core is a compilation of cybersecurity activities and references that are common across critical infrastructure sectors;
- Framework Implementation Tiers (“Tiers”) demonstrate the implementation of the Framework Core Functions and Categories and indicate how cybersecurity risk is managed; and
- A Framework Profile (“Profile”) conveys how an organization manages cybersecurity risk in each of the Framework Core Functions and Categories by identifying the Subcategories that are implemented or planned for implementation.
Key outcome – one last look
The key outcome from the event was an offer by the NIST facilitators for industry stakeholders to take a final detailed look at the framework for its applicability to their sector prior to publication. The next step is to roll-up the feedback from the workshop and close the public comment period before the NIST publishing deadline set forth in the Executive Order. Realizing that they had to limit the initial scope of the framework to successfully meet the deadline, the last section details areas for improvement including:
- Automated indicator sharing
- Conformity assessment
- Data analytics
- International aspects, impacts, and alignment
- Supply Chains and Interdependencies
NIST and the Executive Order envision the framework as a voluntary measure. Thus, terms like “adoption,” “implementation,” and “conformance” were used very gingerly by the discussion leaders. It was clear that the government representatives were hoping to draw considerable attention from the industries representing critical infrastructure segments. Sessions on the final afternoon of the workshop focused on framework presentation and tools, implementation guidance, executive engagement, governance, and the DHS voluntary program for using the framework.
Despite the fact that it is a voluntary program, an informal show-of-hands indicated that quite a few attendees expected at least some portion of the framework to become a requirement. Several mentioned that if that were the case, an industry-vetted cybersecurity framework managed with the appropriate level of public and government input through NIST was a good approach.
The NIST website for the project including all of the relevant documents is available at http://www.nist.gov/itl/cyberframework.cfm.
Paul Molitor was the first Plenary Secretary of the NIST Smart Grid Interoperability Panel (SGIP), is active in the SGIP cybersecurity and internet protocol working groups, and the International Electrotechnical Commission Strategy Group 3 (IEC SG3) on Smart Grid.
Paul serves as the Assistant Vice President of Smart Grid and Special Projects for the National Electrical Manufacturers Association in Rosslyn, VA. On behalf of the 450 member companies of NEMA, Paul is responsible for monitoring the national Smart Grid effort and interfacing with electric utilities, manufacturers, federal agencies, and the U.S. Congress. He also provides information, direction, and support to the NEMA Government Relations, Technical Services, and Industry Operations groups who manage policy and technical issues related to standards and protocols for U.S. and International Smart Grid activities.