Introduction:
Wrote this post for the arrasmartgrid forums, that never really took off. (big surprise). It is an attempt to demystify the NIST/NERC/whatever controls, and to show how if you have a solid program, you'll be 'compliant' with whatever comes down the pipe.
NIST Overview:
NIST stands for the National Institute of Standards and Technology, and is an agency within the US Department of Commerce. NIST as a larger organization, develops standards for everyone industry from Bioscience to Energy, Math and Physics to IT.
Information Technology, as it relates to Smart Grid, is the most relevant NIST subject area to smart grid. The NIST Special Publications (SP) 800 series is a set of documents of general interest to the computer/network security community, which was established in 1990 and continues today. The NIST SP 800 series is used as the basis for numerous federal agency security requirements, as well as the Department of Defense and Intelligences Agencies. When folks speak of ‘industry best practices’ for computer security, more often than not they are referring to the SP 800s.
NIST Relationship to Smart Grid Guidelines
Much to the credit of the NIST organization, their guidelines and standards in the 800 series are the most utilized, plagiarized, and recognized documentation in all of cyber security. Many organizations utilize the NIST SP 800-53a ‘Recommended Security Controls for Federal Information Systems and Organizations’ as a baseline for their own guidelines and controls, including NISTIR 7628, DHS, and even NERC CIP to a certain point.
Figure 1: 800-53 One Baseline to Rule Them All
To see the similarities, let’s take the very first standard in the 800-53a, Access Control Policy and Procedures, and compare it to the other guidelines:
NIST SP 800-53a ‘Recommended Security Controls for Federal Information Systems and Organizations’
AC-1 “Access Control Policy and Procedures”
Control: The organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]:
a. A formal, documented access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
b. Formal, documented procedures to facilitate the implementation of the access control policy and associated access controls.
Department of Homeland Security: “Catalog of Control Systems Security: Recommendations for Standards Developers”
2.15.1 Access Control Policy and Procedures
2.15.1.1 Requirement
The organization develops, disseminates, and periodically reviews and updates:
1. A formal, documented, access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance
2. Formal, documented procedures to facilitate the implementation of the access control policy and associated access controls.
NISTIR 7628 “Guidelines for Smart Grid Cyber Security” Vol 1
SG.AC-1 Access Control Policy and Procedures
Category: Common Governance, Risk, and Compliance (GRC) Requirements
Requirement
1. The organization develops, implements, reviews, and updates on an organization-defined frequency—
a. A documented access control security policy that addresses—
i. The objectives, roles, and responsibilities for the access control security program as it relates to protecting the organization’s personnel and assets; and
ii. The scope of the access control security program as it applies to all of the organizational staff, contractors, and third parties.
b. Procedures to address the implementation of the access control security policy and associated access control protection requirements.
2. Management commitment ensures compliance with the organization’s security policy and other regulatory requirements; and
3. The organization ensures that the access control security policy and procedures comply with applicable federal, state, local, tribal, and territorial laws and regulations.
And finally, NERC CIP (although to a lesser extent):
CIP 003-4 “Cyber Security — Security Management Controls”
R5. Access Control —The Responsible Entity shall document and implement a program for managing access to protected Critical Cyber Asset information.
R5.1. The Responsible Entity shall maintain a list of designated personnel who are responsible for authorizing logical or physical access to protected information.
R5.1.1. Personnel shall be identified by name, title, and the information for which they are responsible for authorizing access.
R5.1.2. The list of personnel responsible for authorizing access to protected information shall be verified at least annually.
As you can see, the DHS Security Control Catalog is almost an exact copy/paste, with the NISTIR 7628 expanding upon the original requirement a bit. NERC CIP, while worded differently and with a more regulatory tone, touches on the same overarching themes of an access control policy. This collaboration reinforces the statement made in today’s webinar about building credibility into your organizations cyber security program by utilizing existing standards and guidelines.
NIST Requirement Example Administrative
I now want to briefly show how the NIST SP 800 series can provide the framework necessary to go from ‘Guideline’ to ‘Implementation’ with an administrative control. I often use the example of a common requirement to have an ‘Incident Response Plan’ in your overall cyber program, that is present in the NISIR 7628, the DHS Catalog, and the NERC CIPs.
The 800-53 control for a Incident Response Plan references the NIST SP 800-61 “Computer Security Incident Handling Guide”. This guide contains a wealth of information about the creation of policies/plans/procedures as well as incident response team composition, and numerous sections on handling certain incident events. Focusing on section 2.3 ‘Incident Response Policy, Plan, and Procedure Creation’, we find that the framework is given for meeting various requirements and compliance needs. This is illustrated in Figure 2:
Figure 2: One Standard to Rule Them All
800-61 provides the framework for writing or altering your own programs incident response plan! All elements for meeting the 7628/DHS/NERC CIP requirements are listed and defined in the 800-61, tailoring and altering the framework to meet your organizations specific function needs, and regulatory requirements is all that is needed. The NIST guidelines provide a starting off point, without needed to create from scratch policy/plans/procedures.
In addition to the 800-61, NIST provides a guide to integrating forensics into IR (800-86) and a guide on preventing and handling malware (800-83). These guides can be used to further develop and mature your organization's incidence response program within cyber security.
Conclusion
While the NIST SP 800 series were conceived for ‘federal IT systems’ it is often the baseline for most cyber security guidelines and regulations in smart grid today. A number of existing NIST guidelines define and specify what policy, plans, and procedures should contain and how those programs should be executed. These ‘Guidelines for the Guidelines’ are excellent tools and references that can be used as the starting point for any new cyber security program, and as a comparison point for all existing programs. As we see with the NISTIR 7628, and the new DoE Cyber Security Initiative, NIST, NERC, FERC, and others are collaborating on how the smart grid, and the grid in general, should be secured. NIST has influenced other guidelines in the past, and I believe will continue to influence in the future.
