Probably the next most critical infrastructure after electric power in North America is natural gas. Like power, there is a nationwide gas transmission system whose loss would affect homes and businesses almost like an electrical outage would. And with the increasing dependence on natural gas for generation, a widespread cyber attack on gas pipelines would be an attack on the electric power system as well.
There is currently a fairly perfunctory cyber security regulation for gas pipelines, promulgated by the TSA (yes, the same people who make you take off your shoes at the airport!), but I know a lot of people think much more is needed. The question then becomes (and I’ve been asked this several times) “Would NERC CIP be a good model for gas pipeline regulations?”
Of course, I think most people in the power industry would just emit a hearty laugh if asked this question, and I’d have to agree with them – it’s hard to imagine inflicting the current CIP compliance regime on any industry except perhaps an enemy’s. But the question then becomes: “What would be a good model for cyber regulation for gas pipelines?
When recently asked this question, I gave it a little thought, then realized the answer was quite simple: Whatever would be the right solution for the electric power industry would be the right solution for any critical infrastructure. Whatever would work for one critical infrastructure should work for all of them.
But what would work for the power industry? If you’ve been reading this blog for a while, you’ve seen this question addressed tangentially in various ways, but never set forth in one place as a specific program. As I’ve mentioned previously, I am now discussing writing a book with a couple of co-authors, which will address this question in detail. But the main reason I haven’t attempted a full frontal assault on this question in my blog is that I haven’t felt I could succinctly articulate an answer.
Until now. I do believe I can now articulate what a critical infrastructure cyber security regulation should look like in six sentences (OK, maybe it’s seven). I will list them here without justification and without detail on how they might be implemented; for that, you’ll have to wait for the book, although I’m sure I’ll sketch out a lot of the details in future posts. Of course, I’d welcome any comments or questions about what I say below – I’ll try to answer using whatever I know at the current time; I’d also like to hear your opinions on whether this sounds like the right approach or not.
In my humble opinion, a workable cyber security compliance regime for any critical infrastructure sector needs to be based on six principles:
- The process being protected needs to be clearly defined (the Bulk Electric System, the interstate gas transmission system, a safe water supply for City X, etc).
- The compliance regime must be threat-based, meaning there needs to be a list of threats that each entity should address (or else demonstrate why a particular threat doesn’t apply to it).
- The list of threats needs to be regularly updated, as new threats emerge and perhaps some old ones become less important.
- While no particular steps will be prescribed to mitigate any threat, the entity will need to be able to show that what they have done to mitigate each threat has been effective[i].
- Mitigations need to apply to all assets and cyber assets in the entity’s control, although the degree of mitigation required will depend on the risk that misuse or loss of the particular asset or cyber asset poses to the process being protected.
- It should be up to the entity to determine how it will prioritize its expenditures (expenditures of money and of time) on these threats, although it will need to document how it determined its prioritization.
Of course, I’m not going to say now that I won’t ever add to or subtract from this list of principles. But I think they’re a good start.
The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte.
[i] My eyes were opened at the RF CIP workshop this past week, when Lew Folkerth pointed out that the key to being able to audit non-prescriptive requirements is for the entity to have to demonstrate that the measures they took were effective. I will do a post on this soon.