The newly released voluminous NIST SP800-53 Revison 3 (~40 core pages plus supporting sections, 236 pages total) addresses and deliverers a unifying cyber security framework for use across governmental, civilian, and critical infrastructure entities. The focus remains establishing a solid baseline security posture across eighteen control set families Consensus developed SANS Institute - 20 Critical Security Controls - Version 2.0 provides an updated mapping to this NIST release.
NIST said the updated security control catalogue incorporates best practices in information security from the Department of Defense, intelligence community and civilian agencies to produce the most broad-based and comprehensive set of safeguards and countermeasures ever developed for information systems.
Significant changes include:
- A simplified, six-step risk management framework
- Additional enhancements for advanced cyber threats;
- Prioritizing or sequencing security controls during implementation or deployment;
- New references section in revised security control structure;
- Supplemental guidance security requirements eliminated;
- Addresses risk management framework for legacy information systems and for external providers of information system services;
- Current threat information and known cyber attacks factored into security control baselines updates.
- Addresses organization-level security controls for managing information security programs;
- Guidance on the management of common controls within organizations; and
- Strategy for harmonizing Federal Information Security Management Act security standards and guidelines with international security standard ISO/IEC 27001.
- Tailoring industrial control systemsm, including compensating controls- Appendix I
NIST SmartGrid Workshop - Aug 3rd -4th
Third major NIST Smart Grid workshop - web/teleconference options:
A key objective of the public workshop is to engage standards development organizations (SDOs) in addressing standards-related priorities. Sessions will be devoted to discussing individual SDO perspectives on the evolving roadmap for Smart Grid interoperability standards, reaching agreement on which organizations should resolve specific standards needs, and developing plans and setting timelines for meeting these responsibilities.
- Webcast information will be posted on this link before the first session begins (more)Agenda worth checking out, e.g. Tuesday – Cyber Security Strategy - 8am start (CST) , workshop wrap-up Tuesday PM includes report out from multiple topic tracks.
At Black Hat last week, IOActive’s Mike Davis and team created a simulation demonstrating how, over a period of 24 hours, about 15,000 out of 22,000 homes had their smart meters taken over by a software worm that placed the devices under the control of the worm’s designers. More: Smart Meter Worm Could Spread Like A Virus
Some speculation- the simulation likely focused on a single managed smart grid environment (not across multiple, independent smart-grid settings). The meter manufacturer reportedly first dismissed the claims until they were proven. The vulnerabilities are similar to what happens when computers are linked over the Internet. By exploiting weaknesses in the way computers talk to each other, hackers designed attacks can size control. The Recoverable Advanced Metering Infrastructure presentation information is not posted yet in the Black Hat USA 2009 Archive area.
Black Hat and Defcon draws some of the best talent around to crack security e.g. Black Hat Researchers Find 'Free' Parking in San Francisco and more news.
No comments:
Post a Comment