With a seemingly endless supply of expert consultants and solutions on the market, many IT departments in critical infrastructure industries have made significant inroads in the past few years into becoming compliant, striking a balance between rigorous attention to regulatory chapter and verse, while still making time to support the critical projects and initiatives that keep the organization operating.
Although it may be difficult to confront, the fact of the matter is that not all IT groups in the critical infrastructure industry are fully compliant with information-security regulations. The area of NERC critical cyber-asset identification is one prominent example.
In any critical infrastructure sector, the very nature of self-certification means that it’s easy to evade the letter of the law, however unintentionally. Even when a company is making progress toward compliance, human nature and the economic pressures of the times can lead overworked professionals to cut corners.
Two Different Things
Recently, Michael Assante, the vice president and chief security officer of the North American Electric Reliability Corporation (NERC), sent out a letter to power-industry stakeholders raising the issue of somewhat widespread misidentification of qualifying assets. In a letter about the self-certification survey for NERC Reliability Standard CIP-002-1 for the period July 1 through Dec. 31, 2008, Assante wrote:
“The survey results, on their surface, raise concern about the identification of Critical Assets (CA) and the associated Critical Cyber Assets (CCA) which could be used to manipulate them. In this second survey, only 31 percent of separate (i.e. non-affiliated) entities responding to the survey reported they had at least one CA and 23 percent a CCA. These results are not altogether unexpected, because the majority of smaller entities registered with NERC do not own or operate assets that would be deemed to have the highest priority for cyber protection. …. Closer analysis of the data however suggests that certain qualifying assets may not have been identified as ‘Critical.’ … Although significant focus has been placed on the development of risk-based assessments, the ultimate outcome of those assessments must be a comprehensive list of all assets critical to the reliability of the bulk electric system.”
Let’s say that your organization is exemplary, that you’ve completed your regulatory compliance boot camp, you’ve trained your staff, you’ve documented your policies and procedures, implemented your processes and you’re now fully compliant. Congratulations on your diligence, which may just give your business an advantage in its marketplace, and for which you will no doubt be rewarded in your career. However, being compliant is not the same thing as being secure.
Never Designed as Panaceas
Being compliant in today’s threat environment simply isn’t enough to guarantee your organization is secure and maintaining continuous operations — or even its survival as a service provider. Industry regulations were never intended to be sufficient; they were designed to be used as frameworks within which IT groups could begin studying and outlining more rigorous security for their own particular environments. Most challenging of all is the fact that cyberthreats are growing, both in terms of the number of potential attackers and in scope.
The stated aim of some leading terrorist groups is not simply the disruption of daily life for American citizens. These groups also aim to harm our national economy, and they were successful in impacting the travel industry in the wake of the World Trade Center and Pentagon attacks — an impact from which that industry has not yet fully recovered.
If the critical infrastructure your organization serves has a similar financial model to many large-scale power plants, there has been a significant capital investment, with financing based on 90 percent to 100 percent uptime. If your systems do go down and there is an interruption in operations, consequences might include
- purchasing resource and commodities from other sources and at higher than market rates to satisfy immediate demand;
- loss of production capacity that results lost profit opportunities, higher costs of goods, capital and labor;
- customer-imposed penalties or loss of customers; and
- political fallout.
Compliance leads organizations to accept a requirement based on the average risk analysis for an industry or segment. There are no expectations that these regulations or standards results in security, only that a minimum framework has been put in place. Unfortunately, some enterprises see compliance as a “get out of jail free card” to avoid a penalty or fine instead of a framework to develop an ongoing process to secure their operations against evolving cyber threats.
A risk-management model, versus compliance, takes a much broader approach to security, aiming for robust business-continuity plans with meticulous, organization-wide incorporation of best practices in all processes
The process of security requires the acceptance that it is part of the corporation’s fiduciary responsibility to both the communities it serves and its investors. Cyber security should be an integral part of a business continuity plan that is reviewed, updated, implemented and managed on an ongoing basis. It cannot and must not be an “end state”
Every critical-infrastructure sector should accept the challenge to adopt a “big picture” approach that addresses small checkpoints daily. This approach would have your IT and security groups commit to
- ongoing evaluation and adoption of best practices and best technologies for cyber security;
- continuous threat evaluation
- daily practice of security with rapid change in practices in response to changes in the risk environment; and
- treatment of security as an integral part of the business, not a one-time project or exercise.
Jim White is vice president of critical infrastructure security at Uniloc.