By now, most of you are familiar with our commitment to providing our clients with “compliance as a by-product of security and best practices.” We didn’t come up with this approach to be different. We adopted it because our vast experience with NERC audits clearly showed this game plan is the only sustainable approach to balancing regulatory, security and operational obligations. Equally obvious to us has been the indisputable (as far as we are concerned) fact that NIST is the key to achieving this Nirvana of compliance through security – forever more. Of course, we realize many are not ready to embrace NIST. “It’s too complicated…the stuff we use now is OK sometimes…I don’t have time to spend on NIST”…these are just a few of the excuses we hear from non-believers. Fact is, all the evidence points to a mandatory adoption of NIST to ensure the nation’s critical infrastructure protection.
Back in February of 2013, the President instructed NIST to create the Framework and since then it has quickly gained traction as both the short and long-term solution to cyber security for the nation’s critical infrastructure. The pace of its adoption continues to accelerate. For those of you still doubting the effectiveness and relevance of the NIST Framework, the latest FERC NOPR has directed a supply-chain management standard be developed. In April of this year, NIST published SP-800-161 “Supply Chain Risk Management Practices for Federal Information Systems and Organizations.” Coincidence? I don’t think so. This publication will give organizations a very thorough guide to building a supply chain testing and validation program for third-party hardware and software. I would argue that the only component that’s missing is a testing and validation component for service providers as well, but the criteria in SP 800-161 could be applied to services as well. Maybe the bigger question the industry should be asking ourselves is why do we need a compliance regulation to tell us that we should be testing and validating our third-party hardware, software, and solutions? The answer is that if we were implementing security-driven programs instead of compliance-driven programs we wouldn’t need to test or validate.
Now that we’ve let you know the NIST bandwagon will soon be passing through your town, we think it only right that we give you some details that will help you climb on board. We previously introduced many of you to the application of the SANS Top 20 Critical Controls as a NIST starting point or an easy-to-use Cliff Notes for everyone unfamiliar with NIST. After our mappings of NERC CIP Version 3 to Version 5 and the SANS Top 20 Critical Controls, we created a new poster that maps the transition from V3 to V5, lists the Top 20 Critical Controls…and provides a very detailed listing of the applicable NIST 800 Series publications and guidelines as the end game for security. Our idea is that NERC registered entities can start with establishing a foundation of security with NERC CIP while building their entire program to meet the coming requirement of full NIST implementation. This visual resource also effectively demonstrates how seamless that transition can be –contrary to the misconception throughout the industry that NIST is “too granular” or that insufficient resourcing prevents the enablement of a forward-thinking strategy focused on NIST.
Yes, the NIST bandwagon is getting closer each day. And, it is being driven by some of the most powerful and influential men and women in Washington, DC. When it arrives, you can choose to climb on board for a ride that isn’t as bumpy as you expected and is shared with your peers who are happily waving the banner of “Compliance Through Security.” If you choose to let the bandwagon pass you by, I can assure another will follow. This one will be painted in more somber colors, the passengers will be sullen naysayers and the bumps will be far worse than imagined. You will have no choice but to climb on board for a long journey to the mountaintop where the occupants of the first bandwagon have long since disembarked and are relaxed in the knowledge that they are secure – and compliant. Securing your place on the first bandwagon can begin with obtaining our poster. The choice is yours.
Created by The Anfield Group, TAG BLOG* provides expert commentary on the latest developments regarding cyber security and CIP Standards compliance for the bulk electric industry. If you’d like to receive our monthly e-newsletter, SURGE, and to make sure you receive future issues of TAG BLOG, simply join our mailing list.
*Not to be confused with the Scandinavian eel delicacy of the same name.