Recent conversations on a certain public incident within the Seattle City government prompted me to revisit the PCI DSS standards. It’s been several years since I interacted with PCI as a primary job responsibility. What a difference a few years has made! The v1.2.1 standard and supporting materials are a delighted to see. While complaints still exist about the program (especially over the value of the QSA/QSV certifications), the collection of implementation guidance, FAQs, and statements as to the goals and intents of both the master and detailed requirements is an invaluable set of work aides.
Compare the accessibility and clarity of the PCI Standards site with where I’ve focused for the past two years, the NERC CIP standards, The CIP requirements are exceedingly legalistic, present a mass of cross-referenced and difficult to follow dependencies, and are written from a perspective of strict dictation of control implementations rather than broad control standards that security, IT, and business leaders can understand. The direction from FERC to bring the CIPs in closer alignment with the NIST standards is a positive step, but the NIST standards are themselves governmental products and lack the ease of use found in the current PCI documents.
A natural concern is to thing that the protection requirements of critical infrastructure are much higher than those for commercial applications and that these higher assurance levels require the denser language found in the NERC realm. Unfortunately, many CIP-compliance infrastructures would not come close to meeting PCI DSS requirements. While this is in part due to the lack of maturity of industrial control/automation environments compared to general purpose commerce systems, even leveling out these differences in technological maturity, I suspect many CIP-environments do not have the rigor of data identification and risk-driven controls that most PCI level I environments are required to present.
The NERC CIP standards present a huge step forward for the electric industry and are a boon to initiating conversations on the governance of automaton systems, but there is much work to be done. With the more limited audience of the utility sector compared to the number of entities subject to PCI, progress will be slower. While the initial discussions around CIP v4 are significant, I hope the CIP drafting team looks to standards such as PCI for examples of the type and quality of work products to which they can aspire.