Development of the US government’s Cyber Security Framework, as mandated by Presidential Executive Order 13636, is moving forward at quick pace. The second workgroup meeting was held last week, and Patrick Coyle provides his summary.
Since the cybersecurity EO is IT-centric and does not mention control systems in any part of its discussion of the Cybersecurity Framework in paragraph 7 (presumably where the ‘core EO objective’ would be found), I wonder if this will be used by NIST as a method to avoid including control system security measures in the Framework. I certainly hope that that is not the case; a Cybersecurity Framework that does not specifically address control system security issues will provide no protections against catastrophic attacks on critical infrastructure.
Patrick is an outstanding expert for chemical safety and security, and also for cyber security legislation. His concerns are substantiated. If there is one metric that we would be interested in, it’s the percentage of people participating in the CSF process who have plant floor experience.