AMPYX CYBER

View Original

There is a better way to do this: why critical infrastructure cybersecurity regulations are heading in the wrong direction

By Patrick Miller

I helped write and establish the NERC CIP regulations. But now I want change. There is a way to save time, money and headaches while actually improving security for critical infrastructure. I’ll explain, but first, some context.

 

Fast and Furious

 

Managing cybersecurity regulations for technology is hard. Technology changes at a rapid pace, always faster than before. New versions come out – just as you bought the last one. Keeping up with it all is expensive and challenging. As technology changes, the regulations need to change to keep up.

 

This drives regulation to one of two directions: 1) highly specified to match the new and changing technologies, functionalities, use cases; or 2) higher-level concepts that are mostly technology-agnostic but goal-oriented. The former requires regular and swift changes to regulation, which is often difficult for regulatory agencies. The latter leaves large areas open for interpretation due to the lack of specificity and prescription. Finding the target area where these two circles overlap in the Venn diagram is harder than most understand.

 

Power House Rules

 

The NERC CIP standards (the cybersecurity regulations for the electric power sector) have managed to find the worst of both approaches. They are overly prescriptive and technology-specific in some areas, as well as overly vague and difficult to interpret in other areas – but inconsistently and in all the wrong places.

 

The CIP standards started around 20 years ago and they’ve been revised many times to keep up with changes in technology. They just went through another round of revisions, this time, to accommodate virtualization. These virtualization changes have been hotly debated. They have been proposed and voted down a few times already. This is a serious shift in the regulation, where all but two of the 13 standards are changing – which may not sound like much, but it translates into hundreds of individual requirements and sub-requirements that are affected in addition to several critical definitions in the Glossary of Terms.

 

For those of us that have been around for a few iterations of the CIP standards, this will feel like v3 to v5 all over again, maybe even v1. New standards and new definitions mean confusion, chaos, and cost. We will all be debating interpretations and approaches until NERC decides to provide some form of guidance which will probably only muddy the water (measuring from experience).

 

Fellowship of the Ring

 

This is certainly frustrating for the electric sector, but they are not alone. The natural gas sector is going through their own flavor of similar grief from their regulator, the TSA. The TSA recently issued a few Security Directives in addition to their existing Safety Guidelines. These Security Directives were a mix of knee-jerk reactive, grab bag security measures with no real structure or logic behind the approach other than some alignment with the ransomware attack on Colonial Pipeline. The gas industry’s reaction to these Security Directives was unanimous in frustration and disdain.

 

The pipeline security directives situation caused enough angst that a new regulatory agency was proposed, modeled after NERC, to offer similar industry-led stakeholder processes and self-regulation.

 

The water/wastewater sector is still early in the process but has some existing guidelines, all under EPA for now. Few would argue that regulation is right around the corner for them. Some have offered that the water sector adopt and/or align with NERC CIP. The same logic from the electric and proposed gas regulatory approaches was applied - “if the sector helps draft the standards that they know will be enforced against them, they will be supportive of the enforcement system that ‘holds the stick’ over them to create accountability.”

 

Last, but not least, the chemical sector has the Chemical Facility Anti-Terrorism Standards (CFATS; also under the TSA). Some have argued that these standards have repeat reauthorization challenges, could benefit from more expertise in cybersecurity to detect cybersecurity compliance issues, and have extremists abusing the system by infiltrating chemical facility making, storing, or using chemical weapon precursors.

 

Labyrinth

 

These five critical infrastructure sectors have been identified as important enough to take immediate actions: electric, gas, chemical, water and wastewater. However, the regulatory complexity in these sectors is a mess. It was probably best stated in the background press call for the July 28, 2021 National Security Memorandum:

 

“…we have a patchwork of sector-specific statutes today that really have been adapted piecemeal.  And we feel that the administration — the government’s responsibility is to feel confident that critical services that the American public rely on have the modernized defenses to ensure that they can continue to deliver the critical services they do.  And the current patchwork of sector-specific statutes does not enable us to say we have confidence that there is cybersecurity thresholds in place with regard to practices and with regard to technology, governance, and practices.  That is something that will likely require the Hill to partner with us to address.

 

…today’s patchwork of sector-specific approaches, state-level approaches, certainly is not enabling us to meet the threat.”

 

To solve this problem, everyone seems to think modeling after NERC CIP is the best approach. I’ve argued against this before. My opinion hasn’t changed, and I hope to make the case that while this may sound good at first, it is the worst possible path.

 

If we decide to let each of these sectors choose their own cybersecurity regulatory adventure, we will end up with five unique, highly specific regulations that can’t be compared against each other. When someone asks, “Where does US critical infrastructure stand on cybersecurity?” We will attempt to get metrics from multiple different sectors using different measurements against different standards going different directions. This is expensive, inefficient and ineffective.

 

After watching this process for 20 years in the electric sector, I can say the industry-led stakeholder involved process was useful to get everyone onboard. After that, it became bloated, tangled, and evolved into more of an administrative exercise than real security. The electric sector has some phenomenal security experts, but writing standards and regulation is a very different discipline. I am afraid it will be the same situation in other sectors.

 

Mission Possible

 

We need to normalize. Each sector is unique, but does each sector need unique security standards to be effective? After many years of working in these sectors, I don’t think so. The reality is we are all using IT and OT in much the same way. Our technologies all do essentially the same thing – flow control, automation, and an overlay for management layers that scale. Though we may feel we need specialized standards, it actually makes our regulatory burden even heavier.

 

I propose that we consider using a single body of standards for all these sectors. Instead of each sector spending enormous effort to create their own standard, we need to align to save time, money, and headaches. The best part: a standard that works with all sectors already exists.

 

NIST has done this for us with 800-53 and 800-82. These standards are often referenced by FERC when pointing out deficiencies in the NERC CIP standards. They cover both OT and IT and work together as a package. They are supported by the entire body of other NIST 800-series work and they are designed by an agency with a very long and successful history in developing standards. They fit into the overall Cyber Security Framework. It would also act as a single measurement by any auditor – regardless of where that ends up. Each sector can still have their own regulatory oversight and implementation timelines, but against a common standard.

 

This “one standard to rule them all” approach makes it easier on everyone, the critical infrastructure companies, the oversight agencies, consulting firms providing services, and even vendors attempting to adhere to the vast array of regulations for each individual sector (in each country). Securing critical infrastructures is of paramount importance. If we want measurable traction, this is probably our shortest path to success for all.

Featured Posts

See this gallery in the original post