Question: What standard, guideline or regulation should I use to create a cybersecurity program, or should I wait until a standard is finalized?
Answer: Waiting until a cybersecurity standard is explicitly selected, accepted and enforced is a mistake for two very good reasons. First, a security program is much more social and cultural than technical. One thing we’ve learned from the power industry (besides the fact that it’s difficult to come to consensus on a regulation) is that the people factor and general adoption of security controls is something that is learned over time. The organization that waits until the last possible minute and expects its staff en masse to adopt specific security controls is not very likely to succeed. Some of the most violated sections of the NERC CIP security standard for the power industry, for instance, involve the following of procedures, documentation and communication; not the purchase, configuration or application of technology.
The second reason you don’t want to delay your efforts involves funding and workload. I work with companies at both ends of this philosophical spectrum every day. The ones that build security into their facilities over time spend less on average, have better adoption (see point above) and generally grow into their security program with ease. Those who wait until the eleventh hour spend a significant amount of money and almost all of their time leading up to compliance deadlines. In some cases, I’ve seen companies give entire teams of people a month or more off immediately after their sprint to compliance, without having touched any other projects, such as upgrades, changeovers and so on.
There are a myriad of choices and probably 30 times the opinions as to which standard is the best or, more importantly, which one might end up being enforced. There is of course the Chemical Facility Anti-Terrorism Standard (CFATS) framework, but the cyber component is not overly descriptive. People also ask about other initiatives such as the National Institute of Standards and Technology (NIST) 800-82 or 800-53. There is the “Roadmap to Secure Control Systems in the Energy Sector” and you may want to look at the INGAA and AGA offerings if you have a pipeline or transport function.
So with all these options which one should you pick? The first thing to remember is that all of these offerings (as well as others, such as NEI for nuclear or NERC CIP for power) have a common set of framework or infrastructure. If you’re not ready to hitch your wagon to a specific standard, you can still certainly get started on fundamentals that exist in all of these standards, such as a layered network architecture, antivirus protection, patching and backup solutions, incident response and recovery, and employee training and awareness. These are evident (among many others) in some form or other in all cyber programs. If, however, you were a betting person you may just want to put your money down on the ISA 99 standard. It has recently become public knowledge the ISA 99 standard is the intended program for the cybersecurity component of CFATS. The ISA committees are working diligently to complete it and it has all of the aspects listed above as well as some others.
A security program is just as its name implies: a program or culture, and not a project. Get started now, and start with the fundamentals that will serve you well in any environment.
Edited by Dorothy Lozowski
Rick Kaun is the department manager of Industrial Security & Compliance for
Honeywell Process Solutions (Phoenix, Ariz.; www.hpsweb.honeywell.com)
To submit a question to Ask the Experts please send an email to [email protected]