From: SANS
Later this year, the Pentagon will issue cybersecurity certification requirements for organizations that operate components of the country’s critical infrastructure and those that support the US military. The requirements have been under development for some time, predating the president’s executive order that asks the government to consider requiring cybersecurity standards in federal contracts. The owners of critical infrastructure organizations have been asking for cybersecurity guidance, but are reluctant to having requirements imposed. Within the next year, military contracts will include a requirement that industrial control systems (ICS) be continually monitored. Currently, those systems are tested for security every three years. –http://www.nextgov.com/cybersecurity/2013/02/pentagon-will-require-security-stan dards-critical-infrastructure-networks/61328/?oref=ng-channelriver
[Editor’s Note (Pescatore): Continuous monitoring is good only if meaningful things are monitored. Also, multiple monitoring and certification requirements can lead to a compliance focus vs. a security focus, ending up with IT systems that look like what today’s ladders look like: the same old ladder plastered with lots of warning and safety standard stickers. The Critical Security Controls are a strong starting point for defining a standard baseline set of meaningful controls for continuous monitoring.
(Henry): I know people get all spun up about “regulation” whenever anyone talks about government guidelines, but really? I have to get my car inspected each year so I’m not a hazard to other motorists, and I am comforted that someone is verifying the cleanliness and safety of the food and water I eat and drink. Oh, and I’m always glad to see the little white card in the elevator that assures me someone’s recently checked so I don’t plummet down the shaft to my death. So when the government starts talking about requirements for monitoring the Industrial Control Systems that run our critical infrastructure? Yeah, I’m ok with that.
(McBride): This is big (and encouraging) news – a significant customer demanding at least some security of ICS networks. Unfortunately, successful implementation will take well over a year. We’ve got to build a bridge between IT and OT that simply isn’t there today. Monitoring is a good start, but without personnel who know from both cyber and operational perspectives what to do, and policies that make sure the right actions occur on ICS/SCADA networks, that monitoring will not be effective. ]
Leave a Reply