I must admit, I do not understand why the Department of Energy CESER and Idaho National lab are publicly endorsing an international cybersecurity framework identified as IEC 62443, when so many of the US Grid operators have publicly endorsed and implement the NIST Cybersecurity Framework (NIST CSF), version 1.1.
The obvious question in my mind is, why is DOE CESER and INL not endorsing and promoting our own NIST Cybersecurity Framework, which is already used pervasively across US Grid operators and is recommended by NIST to meet cybersecurity requirements for the Cybersecurity Executive Order, 14028. Numerous government agencies will be called upon to implement NIST recommendations to meet Executive Order 14028, including DOE itself.Â
This push by DOE CESER and Idaho National Lab appear to be taking place without any consideration to the investments Grid Operators have already made in implementing NIST standards and the powerful momentum to follow NIST standards and guidelines. Recommendations that fail to factor in "ground truths" are destined for failure, while consuming precious resources that could be used for the greater good.
IMO, this endorsement of IEC 62443 and commitment to work for adoption by DOE CESER and the Idaho National Lab are a distraction from working on the more important, mission critical goals of our nation and critical infrastructure, which are to protect critical infrastructure following NIST cybersecurity recommendations, in accordance with Executive Order 14028.
Actions that endorse and promote non-NIST recommendations, such as the endorsement of IEC 62443 by DOE CESER and INL, raise questions about our own Government's ability to collaborate across agencies and pull together in the same direction on cybersecurity solutions and spend tax payer money efficiently to solve the pressing cybersecurity problems we face today, such as ransomware.