Does DoE Know the Difference Between IT and Control Systems?

Tuesday, March 20, 2012

Joe Weiss

201d6e4b7cd0350a1a9ef6e856e28341

DOE Risk Management Process for the Electric Sector - Doesn't DOE understand the difference between IT and Control Systems?

DOE recently issued for public comment- Electricity SubSector Cybersecurity Risk Management Process, dated March 2012.

In September 2011 DOE issued the first draft of the Electricity SubSector Cybersecurity Risk Management Process document for comments.

The document essentially equated IT and ICS.  The only mention of differences between IT and ICS in the new version is the following:

"It is acknowledged that IT and ICS have different cybersecurity requirements. An ICS is primarily concerned with availability. The ICS communication is time critical with specific determination requirements for jitter and latency."

"Conversely, delays within an IT system database or Web page access are not unexpected by IT users. While the use of encryption or packet authentication is more common with an IT system to protect confidentiality and integrity, the same use in an ICS may reduce the level of ICS performance."

"The activities at Tier 3 will assist in determining the controls and risk responses that apply to the cybersecurity requirements of the IT and ICS."

The entire Tier 3 section uses the term "IT and ICS" as if the two domains were the same.

In Section 5.1.2.2 "Define or Refine Cybersecurity Plans" the reference is to National Rural Electric Cooperative Association and NIST SP 800-18. 

Neither of these documents are specific to ICS and there is no reference to ISA99 which provides cybersecurity plan development for ICSs. Appendix A References do not even include ISA99.

Doesn't DOE understand the difference between IT and Control Systems?

Cross-posted from ControlGlobal.com's Unfettered Blog - copyright 2012 and ff by Putman Media Inc. All rights reserved.

Possibly Related Articles:
5470
SCADA
Industrial Control Systems
SCADA Governance Cyber Security Infrastructure Information Security Infosec DOE ICS Industrial Control Systems ISA99
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.