NIST 800-37.2 and federal Risk Management Framework; all SCADA systems

All things ALC
Post Reply
User avatar
Maxburn
Posts: 97
Joined: Wed Mar 04, 2020 12:51 am

NIST 800-37.2 and federal Risk Management Framework; all SCADA systems

Post by Maxburn »

Some thoughts about this, I was relieved recently to find that ALC corporate is making great strides in generating materials to perform a "type accreditation" for their system. What I found interesting was that under these NIST standards there is no such thing as a across the board product getting "certified to operate", each installation must go through the RMF process and receive certification via the local "authorizing official". Not sure how some other vendors are handling that, but there must be similar things going on behind the rumors and any rumor saying they are certified is BS. There's not actually a term certificate to operate in RMF.

ALC's "type accreditation" will use terms like "accredited in other facilities". It will also have "attestation" documentation from third party security penetration tester assessors and their findings. Basically it will be a package of docs stating that the product software and hardware supplied by ALC has been investigated and complies with NIST 800-37.2. This will be a huge burden off of the dealers and branches.

Type accreditation only gets you about 80% of the way there because RMF covers the entire installation. Physical security and networking are typically out of scope of controls work. Good news is that seems to be spelled out in section 4.010.06 in that the design (the engineer), construction, and internal IT must be involved in the process. Not optional.

Also what I found interesting is that this applies to ALL FEDERAL BUILDINGS, not just military bases etc. At the moment it seems in areas like ours it's being ignored, to the point where when we ask to identify the RMF authorizing official we generally don't get a clear answer. Yes we see it come up in bids they want it (required to) but the local people don't actually want to go through all the work.

One of the angles I especially like is that RMF requires recertification every three years. I can't tell you how many government facilities simply restrict access to the controls system and ignore it, never mind that version hasn't been supported for a couple years and it's on an OS that's end of life.
User avatar
orion242
Posts: 223
Joined: Fri Feb 21, 2020 12:55 am
Location: New England
Contact:

Re: NIST 800-37.2 and federal Risk Management Framework; all SCADA systems

Post by orion242 »

Maxburn wrote: Mon Mar 16, 2020 1:27 pmAlso what I found interesting is that this applies to ALL FEDERAL BUILDINGS, not just military bases etc. At the moment it seems in areas like ours it's being ignored, to the point where when we ask to identify the RMF authorizing official we generally don't get a clear answer. Yes we see it come up in bids they want it (required to) but the local people don't actually want to go through all the work.
Hear and see the same around here. Glad we don't do much with them as it seems like an epic fail waiting to happen.

You ask, and ask, and ask nobody knows nothing. You ignore it and just move ahead like this doesn't exist.Then a week after training and warranty letter some gov inspector comes in to approve it and the crap hits the fan. Where is all this documentation, why was this started before completing x,y,z. Misery....

Total disorganized mess and seems ripe for contractors to get their nuts chopped at the end of a project.
User avatar
Maxburn
Posts: 97
Joined: Wed Mar 04, 2020 12:51 am

Re: NIST 800-37.2 and federal Risk Management Framework; all SCADA systems

Post by Maxburn »

orion242 wrote: Mon Mar 16, 2020 4:04 pmYou ask, and ask, and ask nobody knows nothing. You ignore it and just move ahead like this doesn't exist.Then a week after training and warranty letter some gov inspector comes in to approve it and the crap hits the fan. Where is all this documentation, why was this started before completing x,y,z. Misery....

Total disorganized mess and seems ripe for contractors to get their nuts chopped at the end of a project.
So thing is when they do come back at you with this stuff we can hit back at them and say this is our part, now you need to do this, IT group needs to do this, maintenance needs to do this etc. RMF is pretty detailed and involves darn near everyone that had a part of the building, not something they can simply toss on the controls vendor.

Also notable for a long time now one trick we are doing is anything that is BACnet/IP like say a VRF front end controller, we are sticking that on one of our MS/TP trunks with another little router and CAT# cable between the two. All of the other services from that controller aren't on the facility network and are effectively "firewalled". Only our controllers with "type accreditation" get put on the facility IP network.
Post Reply