Sometimes I read an article on line or in the physical paper (yes, I still get those!) that makes me smack my head and say “Of course! This makes perfect sense!” And I like to feel that I would have sooner or later come to the same conclusion – it’s just that the author has already done that for me.
Such was the case when, in the July 12 Wall Street Journal, I read an Op-Ed piece called “America isn’t Ready for a ‘Cyber 9/11’”. The title was a little misleading, and I almost didn’t read it; I figured it was yet another alarming piece about how the whole grid was going to collapse from a massive cyber attack either tomorrow or the day after tomorrow at the very latest.
However, it wasn’t about that at all. Rather, it was making the point, which I’ve made a couple times, that the Wannacry and not-Petya attacks (which they call Petya in the article – I’ll excuse this minor error) were quite different from most previous attacks in that they weren’t aimed at particular sectors or companies, or even countries (although not-Petya was clearly aimed at the Ukraine at first, but didn’t confine itself there for very long).
And the authors draw a perfectly reasonable conclusion from this: If such broad attacks are going to be the norm from now on, perhaps the current state of extremely fragmented cyber security oversight isn’t the best way to protect the country going forward (they state there are at least 11 Federal agencies with jurisdiction over some aspect of cyber, but they also seem to have left out two more that you may be familiar with: NERC and FERC. Raise your hand if you’ve ever heard of them).
And it doesn’t take long for the authors to come to a conclusion that I would have considered ridiculous a few months ago, but which now seems to me to make much more sense: There should be a Federal Department of Cybersecurity. When a big, broad attack happens, why have a bunch of different agencies that need to figure out for themselves what it’s about and how to deal with it? Why not have one agency responsible for figuring out what’s going on and how to respond, which then has different divisions responsible for different sectors, whose job would be to carry out that response in their sector (this part about the divisions is my extrapolation from their article, which doesn’t itself discuss how the Department would be structured)?
But let’s not stop there. This same Department of Cybersecurity should also be responsible for developing and enforcing cyber security standards - in some cases mandatory, in others voluntary. Again, the sector-level divisions would be responsible for interpreting, evangelizing and enforcing those standards in the different sectors.
Of course, electric power would be one of those divisions. However, I think it would be part of a “super division” of what might be called “process infrastructure” (which is a terrible name, but all I can think of at this hour). This would include all of the critical infrastructure sectors that are responsible for maintaining a particular process. Of course, the process for the power sector is the Bulk Electric System. For oil refineries, it’s the production of petroleum byproducts. For natural gas pipelines, it’s the interstate distribution of natural gas. A couple other sectors in this group would be chemical plants and petroleum pipelines.
Within this “super division”, there would be a core group of ICS security experts that would address threats to ICS assets, and formulate both responses to attacks and standards for maintaining cyber security (again, mandatory or not, perhaps depending on the criticality of the sector. Unfortunately – you guessed it – the electric sector is about as critical as it gets). Then there would be groups of “implementers” and assessors (which, truth be told, would also be auditors) who would carry out the responses and interpret/enforce the standards in the particular sectors.
And what would be the standards they would enforce? This may surprise you greatly, but I don’t actually advocate that the NERC CIP standards be generalized and made applicable to all critical infrastructure sectors. What do I propose instead? I am proposing a very different set of standards (or really, just one standard with one requirement), based on a very different compliance regime than the NERC one (again this probably surprises you greatly). I currently have identified six principles that would form the basis for that regime, which I listed (without any embellishment) in this post.
You’ll notice these principles are general, applicable to any process industry. When I wrote the above post, I was thinking that each of those industries (gas pipelines, electric power, etc) would implement the same principles, but tailored to their industry (i.e. their particular infrastructure, like the BES when you’re talking about electric power). I now realize that it makes a lot more sense to have a single group of ICS experts that handles the functions that are common to all the process industries, with sector specialists who apply them to the different sectors; i.e. the structure I described above.
Will this happen? I’m not positive there will be a Department of Cybersecurity, although I think that would be the best solution. An intermediate solution would be to combine regulation of the process infrastructure sectors into this “super division”, and have either the Department of Energy or the Department of Homeland Security “house” it. This wouldn’t provide the synergies with industries like banking and healthcare that a Dept. of Cyber would provide, but it might be a lot easier to implement and would at least unify the process infrastructure industries.
One thing I am fairly sure of: In three years, neither NERC nor FERC will be responsible for regulation of the cybersecurity of the power grid. This is not because they’ve made mistakes as the regulators (although they have – again, I realize it will surprise you greatly to hear me say this), but because the logic of combining the sectors in this way is too compelling. At that time, you’ll look back at your happy days of laboring in the salt mines of NERC CIP and wonder what you were thinking.
The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte.