contrasting the national electric code (nec) and … · installation of an off-grid ... cnss...
TRANSCRIPT
Contrasting the National Electric Code
(NEC) and Cybersecurity
ITEA System of Systems - Reducing Risk
Thursday January 28th, 2016
TRMC – Cybersecurity Support Staff
904-625-2260
Pending Distribution A
Release Authorization
Pending Distribution A
Release Authorization
2
Evolution of the
National Electric Code (NEC)
• Incandescent light bulb was invented by Joseph Swan and first demonstrated
to the public on December 18th, 1878 in England
• Competed with natural gas and kerosene for lighting
• By 1881, one US insurer had reported electrical fires at 23 of 65 insured textile
mills in New England
• “We were without standards and inspectors, while manufacturers were without
experience and knowledge of real installation needs. The workmen frequently created
the standards as they worked, and rarely did the two men think and work alike.”
• Standardization for a national code of rules for electrical construction and operation
for the practical safeguarding of persons and property from the hazards arising from
the use of electricity was needed
• By 1895, five electrical codes were being applied in the US, causing considerable
controversy and confusions
Each of the following had their own unique set of controls:
• DIACAP
• DCID 6/3
• NISPOM
• NISCAP
• NIST SP 800-37
3
Evolution of the NEC
• First harmonization of electrical code was called the German Code
• Code of the British Board of Trade and the Phoenix Rules of England
reviewed by 1200 people during 1897 from the US and Europe.
• National Electric Code (NEC) resulted from a meeting of 23 people at
the ASME headquarters during March 18-19, 1896
• Is a living code that is currently updated every 3 years using an open
consensus process
• Not intended as a design specification or an instruction manual
• Does not cover ships, watercraft other than floating buildings, aircraft,
automotive vehicles other than mobile homes and RVs
Install a 6 KW Photovoltaic System on a house roof that if it fails and causes a fire that I can collect homeowners insurance, a NEC-compliant installation
• Create a plan, apply standardized architecture, develop a specific design implementation, integrate and install
Is an Industrial Control System (ICS)
4
Consumer Use Case
Industry Catalog Technical Content
PV Architectures• Off-Grid
• Grid-Tie
• Utility Grid-Tie
• AC-Coupled
Off-Grid PV Architecture
Industry
Branded
Parts Catalog
5
References Material
Analogous to CNSSI 1253,
NIST SP 800-53, Overlays,
STIGs and SRG bundled
into one manual,
~1500 pages
Industry Catalog of
components and
guidance,
~250 pages
NIST SP 800-53
Rev4 Appendix F
6
7
Contrast National Electric Code
to Cybersecurity Regulations
• NEC Content, Arrangement of Articles
• Chapter 1 – General
• Chapter 2 – Wiring Protection
• Chapter 3 – Wiring Methods and Materials
• Chapter 4 – Equipment for General Use
• Chapter 5 – Special Occupancies
• Chapter 6 – Special Equipment
• Chapter 7 – Special Conditions
• Chapter 8 – Communications Systems - Not subject to Chapters 1-7
• Chapter 9 Tables - Applicable as referenced
• Informative Annex A through I - Informative not mandatory
Applies generally
to all electrical
Installations( Analogue to CNSSI 1253 and NIST
SP 800-53 Baselines )
Supplements or
Modifies
Chapters 1 thru 4( Analogue to Overlays and NIST SP 800-60 )
except where specifically noted
ARTICLE 690 “Solar Photovoltaic (PV) Systems”
Installation of an Off-Grid
Photovoltaic System at a House
City Home / Fire Home / Prevention / Fire Marshal’s Officehttp://www.mariettaga.gov/city/fire/prevention/firemarshal
• Inspection of buildings
• Life Safety
• Handicap accessibility
• Fire sprinkler systems
• Fire alarm systems
• Investigation of fires
• Enforcement of state laws and local ordinances pertaining to fire prevention
• Plan Review
City Hall / Building Construction / Permits and Inspections https://www.mariettaga.gov/city/cityhall/inspections
• Building <- Building Inspector (residential)
• Plumbing
• Gray Water
• HVAC
• Electrical <- Electrical Inspector
Safety Programs, contrast to Cybersecurity Programs
Inspector, contrast to SCA/R (Interview, Document, Observe, Test)
Fire Marshall or Authority Having Jurisdiction (AHJ),
contrast to CIO/SISO/AO
• Enforcement
• Plan Review
• Forensics
AHJ – organization, office, or individual
responsible for approving equipment, materials,
an installation, or a procedure (NFPA)
8
Array #4
200 Watt
Panels
Array #3
200 Watt
Panels
Array #1
185 Watt
Panels
Array #2
185 Watt
Panels
Finished Backyard Arrays
9
Array Combiner Box
Located at Top
Center Point of
Each Array
On the Roof
8 String
Combiner Box
that contains
four Fuses for
the four Circuits(690.9)
10
Array Lightning Arrester
and GFPI
One of
these
for each
array in
the atticGFP Circuit
Breakers(690.5 A thru C for
grounded DC
PV arrays.)
Lightning
Arresters(280, NFPA 780-2011)
11
Power Control Panel Components
Flooded Lead Acid
Battery Hydrogen
Exhaust Fan(480.9A)
Battery Box(480.8, 480.9, 110.27)
Zener Diode for
DC Fan Motor(increases reliability
of electronic actuator)
12
Finished Power Control Panel
Morningstar
MPPT
Charge
Controller
Ethernet Switch
Proprietary
Outback
Hub
Proprietary
Morningstar
Hub
Outback LED State of Charge Indicator
Is an Industrial Control System (ICS)
13
15
NEC – Electrical Component
Testing Labs and Standards
• Nationally Recognized Testing Labs (NRTL) by authorized by US Department
of Labor (DoL) Occupational Safety & Health Administration (OSHA) to certify
product compliance with safety standards (https://www.osha.gov/dts/otpca/nrtl/ &
https://www.osha.gov/dts/otpca/nrtl/list_standards.html)
• Edison Test Labs (ETL) – Intertek testing of following kinds of standards: ANSI,
ASME, ASTM, ISO, NFPA
• Underwriters Laboratories (UL) – Numerous UL Standards:153, 197, 796, 1026,
1492, 1598, 1642
• Restriction of Hazardous Substance (RoHS)
• Lead (Pb): < 1000 ppm
• Mercury (Hg): < 100 ppm
• Cadmium (Cd): < 100 ppm
• Hexavalent Chromium (Cr VI): < 1000 ppm
• Polybrominated Biphenyls (PBB): < 1000 ppm
• Polybrominated Diphenyl Ethers (PBDE): < 1000 ppm
16
Cybersecurity – IT Component
Configuration/Certification/Validation
• DISA STIG and Control Correlation Identifiers (CCI)
• Security Technical Implementation Guides (STIG) http://iase.disa.mil/stigs/Pages/index.aspx
• Security Requirements Guide (SRG) http://iase.disa.mil/stigs/srgs/Pages/index.aspx
• NIST Cryptographic Module Validation Program
• Computer Security Division (CSD) and CSEC jointly serve as the Validation
Authorities for the program, validating the test results and issuing certificates
• FIPS 140-1 and FIPS 140-2 compliance testing and certifications
• National Information Assurance Partnership (NIAP) between NIST and NSA
• Common Criteria (ISO Standard 15408) Testing Labs (CCTL) https://www.niap-
ccevs.org/Big_Picture/cctls.cfm
• Protection Profiles (PP) are cybersecurity standards for classes of products
• Security Targets (ST) are used to test a vendor’s target of evaluation (TOE) claim
• NIST Product Compliance List (PCL) https://www.niap-ccevs.org/Product/
• NSA Commercial Solutions for Classified (CSfC) Program Component List https://www.nsa.gov/ia/programs/csfc_program/component_list.shtml
• DoD Approved Product Listings – SISSU related• DISA UC-APL, USAF e/APL, USA CoN, USN DADMS
• Joint DoD and ODNI CIO Unified Cross Domain Services Management Office
(UCDSMO) Baseline Lists of transfer, access and MLS cross domain solutions
18
Primary RMF Resources
Policies:• DODI 8500.01: Cybersecurity
• DODI 8510.01: RMF for DoD IT
• https://rmfks.osd.mil/rmf/Pages/default.aspx
• CNSSP 22: IA Risk Management Policy for NSS
• CNSSI 1253: NSS Categorization Baselines
• CNSSI 4009: CNSS Glossary
• FIPS 199: Categorization of Information and Systems
• NIST SP 800-30: Risk Assessment
• NIST SP 800-37: Guide to Applying RMF
• NIST SP 800-39: Managing Information Security Risks
• NIST SP 800-53 Rev4: Controls Catalog
• NIST SP 800-60: Data Type Categorization – Needs to be updated for DoD
• NISP SP 800-137: Information Security Continuous Monitoring (ISCM)
20
RDT&E Perspective of Risk Management
Framework Tiered Enterprise Risks
TIER 1Organization
DoD CIO/SISO (RMF TAG & KS),
DoD ISRMC (DSAWG)
Risk Executive Function
TIER 2Mission / Business Processes
WMA, BMA, EIEMA, DIMA PAOs,
DoD Component CIO/SISOFMCO
TIER 3Information Systems
Authorizing Official (AO), System Cybersecurity Program
•Inter- Tier and Intra-Tier
Communications
•Feedback Loop for Continuous
Improvement
Tactical Risk
Strategic Risk
•Traceability and Transparency of Risk-
Based Decisions
•Organization-Wide Risk
Awareness
WMA – Warfighting Mission Area
BMA – Business Mission Area
EIEMA – Enterprise Information Environment Mission Area
DIMA – DoD portion of the Intelligence Mission Area
TIER 4 – an RDT&E ConstructRDT&E Guidance for standardization of
RDT&E Information Security Architecture (ISA)
to establish expectations for what controls
RDT&E Tenant(s) must/should/may inherit
TIER 3RDT&E Guidance for standardization of
RDT&E Information Security Architecture
to establish expectations for what controls
RDT&E Host(s) must/should/may inherit
TIER 2DoD RDT&E Overlay
and associated RDT&E Guidance
TIER 1Enterprise Level
21
RMF Cybersecurity Roles
RMF Roles:
• MAO – Mission Area Owner (supra functional mission BMA, WMA, EIEMA, and DIMA CIOs)
• PAO - Principal Authorizing Officials (supra functional mission AO, previously called PAAs )
• FMCO – Functional/Mission Capability Owner (new Risk Executive Function related role)
• CIO – SISO Information Officer (CIO at component level)
• SISO – Senior Information Security Officer (reports to CIO, is in charge of DoD component’s
cybersecurity program, previously called SIAO)
• AO – Authorization Official (reports to CIO and CISO, previously called the DAA)
• AODR – AO Designated Representative (reports to AO, previously called the DAAR)
• SCA – Security Control Assessor (reports to AO/R, previously called the CA – Certifying Authority)
• SCAR – SCA Representative (reports to SCA, previously called the ACA – Agent to CA)
• IO – Information Owner
• ISO - Information System Owner (enclave’s PM during its acquisition)
• ISSM – Information System Security Manager (reports to ISO/PM and AO)
• ISSO – Information System Security Officer (reports to ISO/PM)
• ISSE/SSE – Information System Security Engineer (reports to ISSM and PM)
• NA – Network Administrator
• SA – System Administrator
22
Dispute and Governance
Resolution
Dispute Resolution:
• DoD Component Level (e.g., SCA, AODR, AO, CIO)
• Defense IA Security Accreditation Working Group (DSAWG), headed by an O-6
• Provides technical support for ISRMC
• Network connection authorization between different collateral security domains
• Individual Mission Area Principal Authorizing Officials (MA PAO), flag officer
• DoD Information Security Risk Management Committee (ISRMC), headed by PAO
appointed by Mission Area Owners (MAO):
• WMA PAO
• BMA PAO
• EIEMA PAO
• DIMA PAO
Governance Resolution:
• DoD Component Level
• RMF Technical Advisory Group (TAG)
• DoD CIO Executive Board (CIO EXBD)
• Command, Control, Communications, Computers, Cybersecurity Leadership Board (C5LB)
• Tri-chaired by appointments from the DoD CIO, USSTRATCOM, and DJ-6
23
8510 RMF Steps for System A&A
and Areas for RDT&E Refinement
RDT&E
Overlay?
RDT&E
Guidance?
RDT&E
Information
Security
Architecture
is needed from
Step 2 to
support
implementation
ISCMLoop
RDT&E ISCM
Strategy?
24
Information System Continuous
Monitoring (ISCM) Strategy
Policies & Guidance:
• CNSSI No. 1011 - “Implementing Host-Based Security Capabilities on National Security
Systems” (FOUO)
• NIST SP 800-137 - “ISCM for Federal Information Systems and Organizations”
• Tier 1 – “Organizational Strategy and Risk Tolerance” is a Risk Executive Function responsibility
• Tier 2 - Mission aspects of Strategy <- mission FMCO representation needed for RDT&E
• Mission risks are different for RDT&E Standalone, RDT&E Isolated and RDT&E Shared network
topologies
• Tier 3 – “ISCM Strategy” is an ISO-IO/ responsibility
RMF TAG (Tier 1):
• Enterprise Dashboard – RMF TAG Continuous Reauthorization Work Group• Red light Controls – 10 identified
• Security control requires an immediate escalation to the AO for a risk management decision concerning
disconnect or continued operations. The most critical piece, the majority, or all of the control has failed.
• Yellow Light Controls – 180 identified
• Security control does not require immediate AO notification but should be further investigated prior to
escalation to the AO for a risk management decision concerning disconnect or continued operations.
• White Light Controls – 299 identified
OperationalSystem
(e.g., Training)
1Categorize
6Monitor
5Authorize
4Assess
3Implement
2Select Sandbox
ISCMLoop
RDT&E
1
2
3
4
5e/APL
6
Adding New Widget or Upgrading Existing Widget
ISSO
A
First Time
A
First Time
Request for Configuration
Change
Ongoing Assessment of Cybersecurity
Controls
Prioritize and Address
Findings
Update SAR
Report
Risk Determination
RequiresCCB
AOAuthorization
to Proceed
Update ATO T&Cs
Change to Operational
State
DevelopRemediation
Actions
LowRisk
ISCMLoop
ISCMLoop
ISCMLoop
HighRisk Yes
No
NIST SP 800-37
Task 6-1 Task 6-2 Task 6-3Task 6-4 Task 6-5
Task 6-6
BCCB
Required
CNo CCB
Required
ISO
ISSM/ISSE/CCB
SCA/R
ISSM/ISSO/CCP
ISSM/ISSO
CCP/NA/SA SCA SCASCA/AODR
ISSM
AO AO
SCA
ISSM/ISSEISSM
B C
• CM Change to
support an event
• Zero Day Event
• Virus Signature
Update
• Upgrades
• Policy Updates
• Manpower Changes
• ACAS
• STIG
• HBSS
• Pen
Testing
• Trouble Tickets
(e.g., JIRA)
• SSP - ISSM
• POA&M - ISSM
Provisional State
SCA/ISSM
e/APL
Conceptual ISCM CM Process
ISCM strategy should address:1. FMCO dashboard view with control
monitoring frequencies and methods,
reporting schemes, and tracking;
balancing between control criticality
and mission objectives
2. ISCM CM process (see below)
3. DOTMLPF-ing cybersecurity controls
to assist in allocating proper resources
for POA&M development
25
RDT&E ISCM Strategy
26
Purpose of Cybersecurity
Overlays
Overlay - A specification of security controls, control enhancements,
supplemental guidance, and other supporting information employed during the
“RMF Selection” that is intended to complement (and further refine) security
control baselines. Overlay specifications may be more stringent or less stringent
than original security control baseline specifications, and are applied to multiple
information systems.
• Address cybersecurity concerns for 3 broad areas:• Data Type confidentiality and integrity risks (e.g., SCI/SAP, classified, CUI/export-control and
privacy)
• System Functionality Needs (e.g., CDS, space systems, tactical systems, industrial control
systems and critical infrastructure)
• Environmental Types (e.g., RDT&E sites/ranges, IO ranges and training sites/ranges)
• Approval bodies: • DoD ( posted on RMF Knowledge Service )
• CNSS (e.g., Space Platform, Cross Domain Solution, Intelligence, Classified Information, and
Privacy)
• NIST (e.g., NIST SP 800-82 - Guide to Industrial Control System Security)
27
CNSS & DOD Overlays
CNSS
Existing:
• Information Accessibility (revision in progress, dated 12/15/2011) – 3 pg.
• Intelligence (revision in progress, dated 10/23/2012) – 9 pg.
• Space (revision in progress, dated 6/1/2013) – 33 pg.
• CDS (revision in progress, dated 9/27/13) – 13 pg.
• Classified Information (5/9/2014, relative to NIST 800-53 Rev4 High
Watermark) – 29 pg.
• Privacy (4/20/2015, covers PII and PHI) - 127 pg.
DOD
Existing:
• Nuclear Command and Control, Communications (NC3) Systems
Overlay (15 June 2015) – 23 pg.
28
Draft RDT&E Overlay
Section 4
RDT&E Overlay
Control Infrastructure Control Infrastructure
AC-4 G CP-7(1) --
AC-6(6) + CP-7(2) --
AC-7 VG CP-7(3) --
AC-10 G CP-7(4) --
AC-16 G CP-8 G
AC-16(6) G IA-2(1) G
AC-17(1) G IA-4(2) +
AC-18 G IR-9(3) G
AT-3(1) G+ IR-10 G
AU-5 V PS-3(2) +
AU-5(1) GV PS-6(2) +
AU-6(4) G RA-3 V
CA-7 G SC-7(13) G
CM-4(1) G SC-18(1) GV
CM-4(2) + SC-18(3) G
CM-5 G SC-22 G
CM-6 G SI-3 V
CM-6(1) G SI-3(2) G
CM-6(1) G SI-3(4) G+
CM-8(5) G SI-4(23) V
CM-8(6) + SI-7(8) V
CP-7 --
Table 1: RDT&E Overlay Security Controls
Key:(G) Go to Section 5 for Supplemental Guidance
(V) Assignment Value or Selection is prescribed
(+) Indicates control should be selected
(--) Indicates control should be deselect
29
Draft RDT&E Overlay
Summary of Section 5
RDT&E
ApplicabilitySupplemental Guidance Category Examples
Host or
Tenant
Statutory/regulatory compliance SCI, ITAR or EAR export controls, and PII
Deselection rationale CP-7, CP-7(1), CP-7(2), CP-7(3), CP-7(4)
Assumption(s) AC-16, CM-8, IR-10, SC-18(3), SC-22
Assignment/selection value guidanceAC-7, AU-5, AU-5(1), RA-3, SC-18(1), SI-3,
SI-4(23), SI-7(8)
Inheritance AC-17(1), SC-7(13)
Additional guidance/scope
AC-4, AC-10, AC-16, AC-16(6), AC-17(1),
AC-18, AU-5(1), AU-6(4), CA-7, CM-4(1),
CM-5, CM-6(1), CM-8, CP-8, IR-9(3), IR-10,
SC-7(13), SC-18(1), SI-3(2), SI-3(4), SI-
4(23)
Selection rationale
AC-6(6), AT-3(1), CM-4(2), CM-8(6), CP-7,
CP-7(1), CP-7(2), CP-7(3), CP-7(4), IA-4(2),
PS-3, PS-6(2)
Risk not presentAC-17(1), AC-18, CP-8, IA-2(1), SC-18(3),
SC-22
Non-applicability rationale CM-4(1)
Risk acceptanceAC-16, AC-17(1), AU-6(4), CM-6, CM-6(1),
CP-8, SC-18(1), SI-3(2)
Tenant Tenant SDLC issues(s) Immaturity, Ownership, Technical Limitations
30
Will NIST SP 800-53 Rev5
Improve Export Control Support?
Potential Export Control Overlay
Anticipating ITAR, EAR, and MCTL columns in Section 4 Table
Department of State (DoS)
• ITAR - Directorate of Defense Trade Controls (DDTC) has jurisdiction
• Missile Technology Control Regime (MCTR)
• All elements listed on the US Munitions List (USML) are subject to ITAR
Department of Commerce (DoC)
• EAR - Bureau of Industry and Security (BIS) has jurisdiction
• All elements listed on the Commerce Control List (CCL) are subject to EAR
Department of Defense (DoD)
• USD (AT&L) – develops, approves and maintains the Military Critical Technology
List (MCTL) that influences the content of the USML and CCL
• MCTL - Defense Technology Security Administration (DTSA) administers the
development and implementation of DoD technology security policies on
international transfers of defense-related goods, services and technologies
31
Conclusions for Contrasting
State of Cybersecurity to the NEC
• Unlike AHJ-authorized electrical installations, AO-authorized cybersecurity system
installations are not grandfathered by older C&A authorizations
• Cybersecurity threats are more dynamic
• Unlike the development of electrical safety standards were spearheaded by Industry,
cybersecurity standards development is driven more by Agency risk management and
associated compliance (e.g., FISMA, RMF, ICD Number 503, CNSSP #11, FIPS 140-2)
• Common Criteria is an internationally recognized process for branding IT component Evaluation
Assurance Levels (EAL) by 3rd party labs. Value provided is analogous to component trust instilled by
UL and ETL safety validation/branding by 3rd party labs
• Cybersecurity state-of-the-practice is still in its infancy when contrasted to the NEC
• Overlays are analogous to NEC Articles 500+ Series, captures baseline deltas and extra guidance
details. Overlays are authorized common tailoring of system cybersecurity controls for specific
data types, environment types, and system functionality needs. Overlays and associated
guidance could be codified to be more like the NEC to foster less costly cybersecurity engineering
analysis and greater repeatability for systems engineering decisions
• Overlay-driven cybersecurity code could simplify development of compliance matrices and
accurate prediction of SDLC cybersecurity compliance cost. Until then, PMs will need to remain
agile for identifying accommodating derived cybersecurity requirements
• Acquisition and other communities need an Export Control Overlay to adequately address foreign
national wire-level connectivity to US RDT&E environments containing export controlled technologies,
articles, or services.