Contrasting the National Electric Code

(NEC) and Cybersecurity

ITEA System of Systems - Reducing Risk

Thursday January 28th, 2016

Scott.Holben@wyle.com

TRMC – Cybersecurity Support Staff

904-625-2260

Pending Distribution A

Release Authorization

Pending Distribution A

Release Authorization

2

Evolution of the

National Electric Code (NEC)

• Incandescent light bulb was invented by Joseph Swan and first demonstrated

to the public on December 18th, 1878 in England

• Competed with natural gas and kerosene for lighting

• By 1881, one US insurer had reported electrical fires at 23 of 65 insured textile

mills in New England

• “We were without standards and inspectors, while manufacturers were without

experience and knowledge of real installation needs. The workmen frequently created

the standards as they worked, and rarely did the two men think and work alike.”

• Standardization for a national code of rules for electrical construction and operation

for the practical safeguarding of persons and property from the hazards arising from

the use of electricity was needed

• By 1895, five electrical codes were being applied in the US, causing considerable

controversy and confusions

Each of the following had their own unique set of controls:

• DIACAP

• DCID 6/3

• NISPOM

• NISCAP

• NIST SP 800-37

3

Evolution of the NEC

• First harmonization of electrical code was called the German Code

• Code of the British Board of Trade and the Phoenix Rules of England

reviewed by 1200 people during 1897 from the US and Europe.

• National Electric Code (NEC) resulted from a meeting of 23 people at

the ASME headquarters during March 18-19, 1896

• Is a living code that is currently updated every 3 years using an open

consensus process

• Not intended as a design specification or an instruction manual

• Does not cover ships, watercraft other than floating buildings, aircraft,

automotive vehicles other than mobile homes and RVs

Install a 6 KW Photovoltaic System on a house roof that if it fails and causes a fire that I can collect homeowners insurance, a NEC-compliant installation

• Create a plan, apply standardized architecture, develop a specific design implementation, integrate and install

Is an Industrial Control System (ICS)

4

Consumer Use Case

Industry Catalog Technical Content

PV Architectures• Off-Grid

• Grid-Tie

• Utility Grid-Tie

• AC-Coupled

Off-Grid PV Architecture

Industry

Branded

Parts Catalog

5

References Material

Analogous to CNSSI 1253,

NIST SP 800-53, Overlays,

STIGs and SRG bundled

into one manual,

~1500 pages

Industry Catalog of

components and

guidance,

~250 pages

NIST SP 800-53

Rev4 Appendix F

6

7

Contrast National Electric Code

to Cybersecurity Regulations

• NEC Content, Arrangement of Articles

• Chapter 1 – General

• Chapter 2 – Wiring Protection

• Chapter 3 – Wiring Methods and Materials

• Chapter 4 – Equipment for General Use

• Chapter 5 – Special Occupancies

• Chapter 6 – Special Equipment

• Chapter 7 – Special Conditions

• Chapter 8 – Communications Systems - Not subject to Chapters 1-7

• Chapter 9 Tables - Applicable as referenced

• Informative Annex A through I - Informative not mandatory

Applies generally

to all electrical

Installations( Analogue to CNSSI 1253 and NIST

SP 800-53 Baselines )

Supplements or

Modifies

Chapters 1 thru 4( Analogue to Overlays and NIST SP 800-60 )

except where specifically noted

ARTICLE 690 “Solar Photovoltaic (PV) Systems”

Installation of an Off-Grid

Photovoltaic System at a House

City Home / Fire Home / Prevention / Fire Marshal’s Officehttp://www.mariettaga.gov/city/fire/prevention/firemarshal

• Inspection of buildings

• Life Safety

• Handicap accessibility

• Fire sprinkler systems

• Fire alarm systems

• Investigation of fires

• Enforcement of state laws and local ordinances pertaining to fire prevention

• Plan Review

City Hall / Building Construction / Permits and Inspections https://www.mariettaga.gov/city/cityhall/inspections

• Building <- Building Inspector (residential)

• Plumbing

• Gray Water

• HVAC

• Electrical <- Electrical Inspector

Safety Programs, contrast to Cybersecurity Programs

Inspector, contrast to SCA/R (Interview, Document, Observe, Test)

Fire Marshall or Authority Having Jurisdiction (AHJ),

contrast to CIO/SISO/AO

• Enforcement

• Plan Review

• Forensics

AHJ – organization, office, or individual

responsible for approving equipment, materials,

an installation, or a procedure (NFPA)

8

Array #4

200 Watt

Panels

Array #3

200 Watt

Panels

Array #1

185 Watt

Panels

Array #2

185 Watt

Panels

Finished Backyard Arrays

9

Array Combiner Box

Located at Top

Center Point of

Each Array

On the Roof

8 String

Combiner Box

that contains

four Fuses for

the four Circuits(690.9)

10

Array Lightning Arrester

and GFPI

One of

these

for each

array in

the atticGFP Circuit

Breakers(690.5 A thru C for

grounded DC

PV arrays.)

Lightning

Arresters(280, NFPA 780-2011)

11

Power Control Panel Components

Flooded Lead Acid

Battery Hydrogen

Exhaust Fan(480.9A)

Battery Box(480.8, 480.9, 110.27)

Zener Diode for

DC Fan Motor(increases reliability

of electronic actuator)

12

Finished Power Control Panel

Morningstar

MPPT

Charge

Controller

Ethernet Switch

Proprietary

Outback

Hub

Proprietary

Morningstar

Hub

Outback LED State of Charge Indicator

Is an Industrial Control System (ICS)

13

Upstairs Closet Meters

Meter for 4

Charge Controllers

Meter for Inverter

and Batteries

14

15

NEC – Electrical Component

Testing Labs and Standards

• Nationally Recognized Testing Labs (NRTL) by authorized by US Department

of Labor (DoL) Occupational Safety & Health Administration (OSHA) to certify

product compliance with safety standards (https://www.osha.gov/dts/otpca/nrtl/ &

https://www.osha.gov/dts/otpca/nrtl/list_standards.html)

• Edison Test Labs (ETL) – Intertek testing of following kinds of standards: ANSI,

ASME, ASTM, ISO, NFPA

• Underwriters Laboratories (UL) – Numerous UL Standards:153, 197, 796, 1026,

1492, 1598, 1642

• Restriction of Hazardous Substance (RoHS)

• Lead (Pb): < 1000 ppm

• Mercury (Hg): < 100 ppm

• Cadmium (Cd): < 100 ppm

• Hexavalent Chromium (Cr VI): < 1000 ppm

• Polybrominated Biphenyls (PBB): < 1000 ppm

• Polybrominated Diphenyl Ethers (PBDE): < 1000 ppm

16

Cybersecurity – IT Component

Configuration/Certification/Validation

• DISA STIG and Control Correlation Identifiers (CCI)

• Security Technical Implementation Guides (STIG) http://iase.disa.mil/stigs/Pages/index.aspx

• Security Requirements Guide (SRG) http://iase.disa.mil/stigs/srgs/Pages/index.aspx

• NIST Cryptographic Module Validation Program

• Computer Security Division (CSD) and CSEC jointly serve as the Validation

Authorities for the program, validating the test results and issuing certificates

• FIPS 140-1 and FIPS 140-2 compliance testing and certifications

• National Information Assurance Partnership (NIAP) between NIST and NSA

• Common Criteria (ISO Standard 15408) Testing Labs (CCTL) https://www.niap-

ccevs.org/Big_Picture/cctls.cfm

• Protection Profiles (PP) are cybersecurity standards for classes of products

• Security Targets (ST) are used to test a vendor’s target of evaluation (TOE) claim

• NIST Product Compliance List (PCL) https://www.niap-ccevs.org/Product/

• NSA Commercial Solutions for Classified (CSfC) Program Component List https://www.nsa.gov/ia/programs/csfc_program/component_list.shtml

• DoD Approved Product Listings – SISSU related• DISA UC-APL, USAF e/APL, USA CoN, USN DADMS

• Joint DoD and ODNI CIO Unified Cross Domain Services Management Office

(UCDSMO) Baseline Lists of transfer, access and MLS cross domain solutions

17

DoD Policy Precedence

18

Primary RMF Resources

Policies:• DODI 8500.01: Cybersecurity

• DODI 8510.01: RMF for DoD IT

• https://rmfks.osd.mil/rmf/Pages/default.aspx

• CNSSP 22: IA Risk Management Policy for NSS

• CNSSI 1253: NSS Categorization Baselines

• CNSSI 4009: CNSS Glossary

• FIPS 199: Categorization of Information and Systems

• NIST SP 800-30: Risk Assessment

• NIST SP 800-37: Guide to Applying RMF

• NIST SP 800-39: Managing Information Security Risks

• NIST SP 800-53 Rev4: Controls Catalog

• NIST SP 800-60: Data Type Categorization – Needs to be updated for DoD

• NISP SP 800-137: Information Security Continuous Monitoring (ISCM)

19

Differences Between

DIACAP and RMF C&A Processes

20

RDT&E Perspective of Risk Management

Framework Tiered Enterprise Risks

TIER 1Organization

DoD CIO/SISO (RMF TAG & KS),

DoD ISRMC (DSAWG)

Risk Executive Function

TIER 2Mission / Business Processes

WMA, BMA, EIEMA, DIMA PAOs,

DoD Component CIO/SISOFMCO

TIER 3Information Systems

Authorizing Official (AO), System Cybersecurity Program

•Inter- Tier and Intra-Tier

Communications

•Feedback Loop for Continuous

Improvement

Tactical Risk

Strategic Risk

•Traceability and Transparency of Risk-

Based Decisions

•Organization-Wide Risk

Awareness

WMA – Warfighting Mission Area

BMA – Business Mission Area

EIEMA – Enterprise Information Environment Mission Area

DIMA – DoD portion of the Intelligence Mission Area

TIER 4 – an RDT&E ConstructRDT&E Guidance for standardization of

RDT&E Information Security Architecture (ISA)

to establish expectations for what controls

RDT&E Tenant(s) must/should/may inherit

TIER 3RDT&E Guidance for standardization of

RDT&E Information Security Architecture

to establish expectations for what controls

RDT&E Host(s) must/should/may inherit

TIER 2DoD RDT&E Overlay

and associated RDT&E Guidance

TIER 1Enterprise Level

21

RMF Cybersecurity Roles

RMF Roles:

• MAO – Mission Area Owner (supra functional mission BMA, WMA, EIEMA, and DIMA CIOs)

• PAO - Principal Authorizing Officials (supra functional mission AO, previously called PAAs )

• FMCO – Functional/Mission Capability Owner (new Risk Executive Function related role)

• CIO – SISO Information Officer (CIO at component level)

• SISO – Senior Information Security Officer (reports to CIO, is in charge of DoD component’s

cybersecurity program, previously called SIAO)

• AO – Authorization Official (reports to CIO and CISO, previously called the DAA)

• AODR – AO Designated Representative (reports to AO, previously called the DAAR)

• SCA – Security Control Assessor (reports to AO/R, previously called the CA – Certifying Authority)

• SCAR – SCA Representative (reports to SCA, previously called the ACA – Agent to CA)

• IO – Information Owner

• ISO - Information System Owner (enclave’s PM during its acquisition)

• ISSM – Information System Security Manager (reports to ISO/PM and AO)

• ISSO – Information System Security Officer (reports to ISO/PM)

• ISSE/SSE – Information System Security Engineer (reports to ISSM and PM)

• NA – Network Administrator

• SA – System Administrator

22

Dispute and Governance

Resolution

Dispute Resolution:

• DoD Component Level (e.g., SCA, AODR, AO, CIO)

• Defense IA Security Accreditation Working Group (DSAWG), headed by an O-6

• Provides technical support for ISRMC

• Network connection authorization between different collateral security domains

• Individual Mission Area Principal Authorizing Officials (MA PAO), flag officer

• DoD Information Security Risk Management Committee (ISRMC), headed by PAO

appointed by Mission Area Owners (MAO):

• WMA PAO

• BMA PAO

• EIEMA PAO

• DIMA PAO

Governance Resolution:

• DoD Component Level

• RMF Technical Advisory Group (TAG)

• DoD CIO Executive Board (CIO EXBD)

• Command, Control, Communications, Computers, Cybersecurity Leadership Board (C5LB)

• Tri-chaired by appointments from the DoD CIO, USSTRATCOM, and DJ-6

23

8510 RMF Steps for System A&A

and Areas for RDT&E Refinement

RDT&E

Overlay?

RDT&E

Guidance?

RDT&E

Information

Security

Architecture

is needed from

Step 2 to

support

implementation

ISCMLoop

RDT&E ISCM

Strategy?

24

Information System Continuous

Monitoring (ISCM) Strategy

Policies & Guidance:

• CNSSI No. 1011 - “Implementing Host-Based Security Capabilities on National Security

Systems” (FOUO)

• NIST SP 800-137 - “ISCM for Federal Information Systems and Organizations”

• Tier 1 – “Organizational Strategy and Risk Tolerance” is a Risk Executive Function responsibility

• Tier 2 - Mission aspects of Strategy <- mission FMCO representation needed for RDT&E

• Mission risks are different for RDT&E Standalone, RDT&E Isolated and RDT&E Shared network

topologies

• Tier 3 – “ISCM Strategy” is an ISO-IO/ responsibility

RMF TAG (Tier 1):

• Enterprise Dashboard – RMF TAG Continuous Reauthorization Work Group• Red light Controls – 10 identified

• Security control requires an immediate escalation to the AO for a risk management decision concerning

disconnect or continued operations. The most critical piece, the majority, or all of the control has failed.

• Yellow Light Controls – 180 identified

• Security control does not require immediate AO notification but should be further investigated prior to

escalation to the AO for a risk management decision concerning disconnect or continued operations.

• White Light Controls – 299 identified

OperationalSystem

(e.g., Training)

1Categorize

6Monitor

5Authorize

4Assess

3Implement

2Select Sandbox

ISCMLoop

RDT&E

1

2

3

4

5e/APL

6

Adding New Widget or Upgrading Existing Widget

ISSO

A

First Time

A

First Time

Request for Configuration

Change

Ongoing Assessment of Cybersecurity

Controls

Prioritize and Address

Findings

Update SAR

Report

Risk Determination

RequiresCCB

AOAuthorization

to Proceed

Update ATO T&Cs

Change to Operational

State

DevelopRemediation

Actions

LowRisk

ISCMLoop

ISCMLoop

ISCMLoop

HighRisk Yes

No

NIST SP 800-37

Task 6-1 Task 6-2 Task 6-3Task 6-4 Task 6-5

Task 6-6

BCCB

Required

CNo CCB

Required

ISO

ISSM/ISSE/CCB

SCA/R

ISSM/ISSO/CCP

ISSM/ISSO

CCP/NA/SA SCA SCASCA/AODR

ISSM

AO AO

SCA

ISSM/ISSEISSM

B C

• CM Change to

support an event

• Zero Day Event

• Virus Signature

Update

• Upgrades

• Policy Updates

• Manpower Changes

• ACAS

• STIG

• HBSS

• Pen

Testing

• Trouble Tickets

(e.g., JIRA)

• SSP - ISSM

• POA&M - ISSM

Provisional State

SCA/ISSM

e/APL

Conceptual ISCM CM Process

ISCM strategy should address:1. FMCO dashboard view with control

monitoring frequencies and methods,

reporting schemes, and tracking;

balancing between control criticality

and mission objectives

2. ISCM CM process (see below)

3. DOTMLPF-ing cybersecurity controls

to assist in allocating proper resources

for POA&M development

25

RDT&E ISCM Strategy

26

Purpose of Cybersecurity

Overlays

Overlay - A specification of security controls, control enhancements,

supplemental guidance, and other supporting information employed during the

“RMF Selection” that is intended to complement (and further refine) security

control baselines. Overlay specifications may be more stringent or less stringent

than original security control baseline specifications, and are applied to multiple

information systems.

• Address cybersecurity concerns for 3 broad areas:• Data Type confidentiality and integrity risks (e.g., SCI/SAP, classified, CUI/export-control and

privacy)

• System Functionality Needs (e.g., CDS, space systems, tactical systems, industrial control

systems and critical infrastructure)

• Environmental Types (e.g., RDT&E sites/ranges, IO ranges and training sites/ranges)

• Approval bodies: • DoD ( posted on RMF Knowledge Service )

• CNSS (e.g., Space Platform, Cross Domain Solution, Intelligence, Classified Information, and

Privacy)

• NIST (e.g., NIST SP 800-82 - Guide to Industrial Control System Security)

27

CNSS & DOD Overlays

CNSS

Existing:

• Information Accessibility (revision in progress, dated 12/15/2011) – 3 pg.

• Intelligence (revision in progress, dated 10/23/2012) – 9 pg.

• Space (revision in progress, dated 6/1/2013) – 33 pg.

• CDS (revision in progress, dated 9/27/13) – 13 pg.

• Classified Information (5/9/2014, relative to NIST 800-53 Rev4 High

Watermark) – 29 pg.

• Privacy (4/20/2015, covers PII and PHI) - 127 pg.

DOD

Existing:

• Nuclear Command and Control, Communications (NC3) Systems

Overlay (15 June 2015) – 23 pg.

28

Draft RDT&E Overlay

Section 4

RDT&E Overlay

Control Infrastructure Control Infrastructure

AC-4 G CP-7(1) --

AC-6(6) + CP-7(2) --

AC-7 VG CP-7(3) --

AC-10 G CP-7(4) --

AC-16 G CP-8 G

AC-16(6) G IA-2(1) G

AC-17(1) G IA-4(2) +

AC-18 G IR-9(3) G

AT-3(1) G+ IR-10 G

AU-5 V PS-3(2) +

AU-5(1) GV PS-6(2) +

AU-6(4) G RA-3 V

CA-7 G SC-7(13) G

CM-4(1) G SC-18(1) GV

CM-4(2) + SC-18(3) G

CM-5 G SC-22 G

CM-6 G SI-3 V

CM-6(1) G SI-3(2) G

CM-6(1) G SI-3(4) G+

CM-8(5) G SI-4(23) V

CM-8(6) + SI-7(8) V

CP-7 --

Table 1: RDT&E Overlay Security Controls

Key:(G) Go to Section 5 for Supplemental Guidance

(V) Assignment Value or Selection is prescribed

(+) Indicates control should be selected

(--) Indicates control should be deselect

29

Draft RDT&E Overlay

Summary of Section 5

RDT&E

ApplicabilitySupplemental Guidance Category Examples

Host or

Tenant

Statutory/regulatory compliance SCI, ITAR or EAR export controls, and PII

Deselection rationale CP-7, CP-7(1), CP-7(2), CP-7(3), CP-7(4)

Assumption(s) AC-16, CM-8, IR-10, SC-18(3), SC-22

Assignment/selection value guidanceAC-7, AU-5, AU-5(1), RA-3, SC-18(1), SI-3,

SI-4(23), SI-7(8)

Inheritance AC-17(1), SC-7(13)

Additional guidance/scope

AC-4, AC-10, AC-16, AC-16(6), AC-17(1),

AC-18, AU-5(1), AU-6(4), CA-7, CM-4(1),

CM-5, CM-6(1), CM-8, CP-8, IR-9(3), IR-10,

SC-7(13), SC-18(1), SI-3(2), SI-3(4), SI-

4(23)

Selection rationale

AC-6(6), AT-3(1), CM-4(2), CM-8(6), CP-7,

CP-7(1), CP-7(2), CP-7(3), CP-7(4), IA-4(2),

PS-3, PS-6(2)

Risk not presentAC-17(1), AC-18, CP-8, IA-2(1), SC-18(3),

SC-22

Non-applicability rationale CM-4(1)

Risk acceptanceAC-16, AC-17(1), AU-6(4), CM-6, CM-6(1),

CP-8, SC-18(1), SI-3(2)

Tenant Tenant SDLC issues(s) Immaturity, Ownership, Technical Limitations

30

Will NIST SP 800-53 Rev5

Improve Export Control Support?

Potential Export Control Overlay

Anticipating ITAR, EAR, and MCTL columns in Section 4 Table

Department of State (DoS)

• ITAR - Directorate of Defense Trade Controls (DDTC) has jurisdiction

• Missile Technology Control Regime (MCTR)

• All elements listed on the US Munitions List (USML) are subject to ITAR

Department of Commerce (DoC)

• EAR - Bureau of Industry and Security (BIS) has jurisdiction

• All elements listed on the Commerce Control List (CCL) are subject to EAR

Department of Defense (DoD)

• USD (AT&L) – develops, approves and maintains the Military Critical Technology

List (MCTL) that influences the content of the USML and CCL

• MCTL - Defense Technology Security Administration (DTSA) administers the

development and implementation of DoD technology security policies on

international transfers of defense-related goods, services and technologies

31

Conclusions for Contrasting

State of Cybersecurity to the NEC

• Unlike AHJ-authorized electrical installations, AO-authorized cybersecurity system

installations are not grandfathered by older C&A authorizations

• Cybersecurity threats are more dynamic

• Unlike the development of electrical safety standards were spearheaded by Industry,

cybersecurity standards development is driven more by Agency risk management and

associated compliance (e.g., FISMA, RMF, ICD Number 503, CNSSP #11, FIPS 140-2)

• Common Criteria is an internationally recognized process for branding IT component Evaluation

Assurance Levels (EAL) by 3rd party labs. Value provided is analogous to component trust instilled by

UL and ETL safety validation/branding by 3rd party labs

• Cybersecurity state-of-the-practice is still in its infancy when contrasted to the NEC

• Overlays are analogous to NEC Articles 500+ Series, captures baseline deltas and extra guidance

details. Overlays are authorized common tailoring of system cybersecurity controls for specific

data types, environment types, and system functionality needs. Overlays and associated

guidance could be codified to be more like the NEC to foster less costly cybersecurity engineering

analysis and greater repeatability for systems engineering decisions

• Overlay-driven cybersecurity code could simplify development of compliance matrices and

accurate prediction of SDLC cybersecurity compliance cost. Until then, PMs will need to remain

agile for identifying accommodating derived cybersecurity requirements

• Acquisition and other communities need an Export Control Overlay to adequately address foreign

national wire-level connectivity to US RDT&E environments containing export controlled technologies,

articles, or services.