19 December, 2006

NIST Draft SP 800-82

Greetings folks. Jim has kindly invited me to write an occasional guest blog here. This is my first effort at a formal 'blog writing. If you have comments on the format or subject matter, please tell me.

I want to make everyone aware of a looming deadline for the first round of comments on a draft standard from the National Institute of Standards and Technology (part of the US Federal Government) known as SP 800-82.

This document is a reasonably technical outline of various security measures. Except for a few glitches here and there, it's a very complete and well done document. However, there is one glaring piece missing: It's a very complete bag of security tricks and policies. But it lacks any reference to the most important element to any security policy: The operators.

I hate to say this, but I'm going to anyway: It's the Homer Simpsons of this world who really matter here. They're the ones who will have to work and live with the security mania. They're the ones who are just trying to get their job done as safely and expeditiously as they reasonably can. They're the ones we need to sell this stuff to, or it all falls on the floor.

Look for them in this document. These people are nowhere to be found. Sure, in the executive summary, they mention IT, they mention Control Engineers, they mention the CIO or CSO, they even mention the system vendors. But they make very little mention of the plant operators.

Clearly, NIST is working on this problem as if it's almost entirely technical, not personal. Is it really? Or are they trying to solve a human problem with gadgetry?

No comments: