This post comes to you via the DOD Energy Blog's sister site, the Smart Grid Security Blog.
Just so you know, there was a shift in the force recently as Michael Assante stepped down from the CISO position and NERC sought an able replacement. This post (and this NERC announcement) informs you that, happily, the new CISO has been installed and we're back on track.
Good thing too, cause the electricity generating, transmitting (if not yet, distributing) industry is being pulled in two seemingly opposing directions: on one hand, the desire the demonstrate compliance with CIPS 002-009; while on the other, high anxiety that:
- CIPS 010 and 011 are much different than 002-009 (see summary from James Holler here) and unless they're phased in VERY gradually, that means trouble
- The new CIPS are based largely on security control standards like those in NIST SP 800-53 "Recommended Security Controls for Federal Information Systems and Organizations." Again, a whole different enchilada in terms of detail than what's in 002-009
- This will force huge changes (and likely, commensurate new expenses) for utilities trying make the best of limited human resources, time and funds
Maybe there's a loose connection of sorts here. I recall that the SP 800-53 controls are referenced in DOD 8500.x security policies (see DITSCAP and DIACAP). Michael Assante was a Naval intel officer and seems to me he did a great job during his tenure at NERC. Now Mark Weatherford, recently the CISO for the states of California and Colorado, also comes to the office with a solid Navy pedigree. From the NERC announcement on him:
Weatherford began his career as a Naval Cryptologic Officer, where he led the Navy’s Computer Network Defense operations and the Naval Computer Incident Response Team. Weatherford has a bachelor’s degree from the University of Arizona and a master’s degree from the Naval Postgraduate School.
One thing we've seen in our talks with CISOs and other security professionals in the utilities and ISO/RTOs is the prevalence of prior military (though not always Naval) experience, including folks who did crypto and other cyber security related jobs when they were slightly less "seasoned."
Well, as you'll see from Holler's summary, if not your own hands-on experience in the compliance trenches, it may well be a rough ride moving from the relatively light-weight original CIPS, which really just went fully live on 1 Jan of this year, to the industrial strength 010 and 011. I for one am pulling for Mark to do a great job and wish him every success. We all have a job to do, but his is a key role in this.