Probably the
next most critical infrastructure after electric power in North America is
natural gas. Like power, there is a nationwide gas transmission system whose
loss would affect homes and businesses almost like an electrical outage would.
And with the increasing dependence on natural gas for generation, a widespread
cyber attack on gas pipelines would
be an attack on the electric power system as well.
There is
currently a fairly perfunctory cyber security regulation for gas pipelines,
promulgated by the TSA (yes, the same people who make you take off your shoes
at the airport!), but I know a lot of people think much more is needed. The
question then becomes (and I’ve been asked this several times) “Would NERC CIP
be a good model for gas pipeline regulations?”
Of course, I
think most people in the power industry would just emit a hearty laugh if asked
this question, and I’d have to agree with them – it’s hard to imagine
inflicting the current CIP compliance regime on any industry except perhaps an
enemy’s. But the question then becomes: “What would be a good model for cyber regulation for gas pipelines?
When
recently asked this question, I gave it a little thought, then realized the
answer was quite simple: Whatever would be the right solution for the electric
power industry would be the right solution for any critical infrastructure.
Whatever would work for one critical infrastructure should work for all of
them.
But what
would work for the power industry? If you’ve been reading this blog for a
while, you’ve seen this question addressed tangentially
in various ways, but never set forth in one place as a specific program. As
I’ve mentioned previously, I am now discussing writing a book with a couple of
co-authors, which will address this question in detail. But the main reason I
haven’t attempted a full frontal assault on this question in my blog is that I
haven’t felt I could succinctly articulate an answer.
Until now. I
do believe I can now articulate what a critical infrastructure cyber security
regulation should look like in six sentences (OK, maybe it’s seven). I will
list them here without justification and without detail on how they might be
implemented; for that, you’ll have to wait for the book, although I’m sure I’ll
sketch out a lot of the details in future posts. Of course, I’d welcome any
comments or questions about what I say below – I’ll try to answer using whatever
I know at the current time; I’d also like to hear your opinions on whether this
sounds like the right approach or not.
In my humble
opinion, a workable cyber security compliance regime for any critical infrastructure
sector needs to be based on six principles:
- The process being protected needs to be clearly defined
(the Bulk Electric System, the interstate gas transmission system, a safe
water supply for City X, etc).
- The compliance regime must be threat-based, meaning there
needs to be a list of threats that each entity should address (or else
demonstrate why a particular threat doesn’t apply to it).
- The list of threats needs to be regularly updated, as new
threats emerge and perhaps some old ones become less important.
- While no particular steps will be prescribed to mitigate
any threat, the entity will need to be able to show that what they have
done to mitigate each threat has been effective[i].
- Mitigations need to apply to all assets and cyber assets
in the entity’s control, although the degree of mitigation required will
depend on the risk that misuse or loss of the particular asset or cyber
asset poses to the process being protected.
- It should be up to the entity to determine how it will
prioritize its expenditures (expenditures of money and of time) on these
threats, although it will need to document how it determined its
prioritization.
Of course,
I’m not going to say now that I won’t ever add to or subtract from this list of
principles. But I think they’re a good start.
The views and opinions expressed here are my own and don’t
necessarily represent the views or opinions of Deloitte.
[i]
My eyes were opened at the RF CIP workshop this past week, when Lew Folkerth
pointed out that the key to being able to audit non-prescriptive requirements
is for the entity to have to demonstrate that the measures they took were
effective. I will do a post on this soon.
No comments:
Post a Comment