Sometimes I
read an article on line or in the physical paper (yes, I still get those!) that
makes me smack my head and say “Of course! This makes perfect sense!” And I like
to feel that I would have sooner or later come to the same conclusion – it’s
just that the author has already done that for me.
Such was the
case when, in the July 12
Wall Street
Journal, I read an Op-Ed piece called “
America isn’t Ready
for a ‘Cyber 9/11’”. The title was a little misleading, and I almost didn’t
read it; I figured it was yet another alarming piece about how the whole grid
was going to collapse from a massive cyber attack either tomorrow or the day
after tomorrow at the very latest.
However, it
wasn’t about that at all. Rather, it was making the point, which I’ve
made
a couple times, that the Wannacry and not-Petya attacks (which they call Petya in
the article – I’ll excuse this minor error) were quite different from most
previous attacks in that they weren’t aimed at particular sectors or companies,
or even countries (although not-Petya was clearly aimed at the Ukraine at
first, but didn’t confine itself there for very long).
And the
authors draw a perfectly reasonable conclusion from this: If such broad attacks
are going to be the norm from now on, perhaps the current state of extremely
fragmented cyber security oversight isn’t the best way to protect the country
going forward (they state there are at least 11 Federal agencies with
jurisdiction over some aspect of cyber, but they also seem to have left out two
more that you may be familiar with: NERC and FERC. Raise your hand if you’ve
ever heard of them).
And it doesn’t
take long for the authors to come to a conclusion that I would have considered
ridiculous a few months ago, but which now seems to me to make much more sense:
There should be a Federal Department of Cybersecurity. When a big, broad attack
happens, why have a bunch of different agencies that need to figure out for
themselves what it’s about and how to deal with it? Why not have one agency
responsible for figuring out what’s going on and how to respond, which then has
different divisions responsible for different sectors, whose job would be to
carry out that response in their sector (this part about the divisions is my
extrapolation from their article, which doesn’t itself discuss how the
Department would be structured)?
But let’s
not stop there. This same Department of Cybersecurity should also be
responsible for developing and enforcing cyber security standards - in some
cases mandatory, in others voluntary. Again, the sector-level divisions would
be responsible for interpreting, evangelizing and enforcing those standards in
the different sectors.
Of course,
electric power would be one of those divisions. However, I think it would be
part of a “super division” of what might be called “process infrastructure”
(which is a terrible name, but all I can think of at this hour). This would include
all of the critical infrastructure sectors that are responsible for maintaining
a particular process. Of course, the process for the power sector is the Bulk
Electric System. For oil refineries, it’s the production of petroleum
byproducts. For natural gas pipelines, it’s the interstate distribution of
natural gas. A couple other sectors in this group would be chemical plants and
petroleum pipelines.
Within this “super
division”, there would be a core group of ICS security experts that would
address threats to ICS assets, and formulate both responses to attacks and
standards for maintaining cyber security (again, mandatory or not, perhaps
depending on the criticality of the sector. Unfortunately – you guessed it –
the electric sector is about as critical as it gets). Then there would be
groups of “implementers” and assessors (which, truth be told, would also be
auditors) who would carry out the responses and interpret/enforce the standards
in the particular sectors.
And what
would be the standards they would enforce? This may surprise you greatly, but I
don’t actually advocate that the NERC CIP standards be generalized and made
applicable to all critical infrastructure sectors. What do I propose instead? I
am proposing a very different set of standards (or really, just one standard
with one requirement), based on a
very
different compliance regime than the NERC one (again this probably surprises
you greatly). I currently have identified six principles that would form the
basis for that regime, which I listed (without any embellishment) in
this
post.
You’ll
notice these principles are general, applicable to any process industry. When I
wrote the above post, I was thinking that each of those industries (gas
pipelines, electric power, etc) would implement the same principles, but
tailored to their industry (i.e. their particular infrastructure, like the BES
when you’re talking about electric power). I now realize that it makes a lot
more sense to have a single group of ICS experts that handles the functions
that are common to all the process industries, with sector specialists who
apply them to the different sectors; i.e. the structure I described above.
Will this
happen? I’m not positive there will be a Department of Cybersecurity, although
I think that would be the best solution. An intermediate solution would be to
combine regulation of the process infrastructure sectors into this “super
division”, and have either the Department of Energy or the Department of
Homeland Security “house” it. This wouldn’t provide the synergies with
industries like banking and healthcare that a Dept. of Cyber would provide, but
it might be a lot easier to implement and would at least unify the process
infrastructure industries.
One thing I
am fairly sure of: In three years, neither NERC nor FERC will be responsible
for regulation of the cybersecurity of the power grid. This is not because they’ve
made mistakes as the regulators (although they have – again, I realize it will
surprise you greatly to hear me say this), but because the logic of combining
the sectors in this way is too compelling. At that time, you’ll look back at
your happy days of laboring in the salt mines of NERC CIP and wonder what you
were thinking.
The views and opinions expressed here are my own and don’t
necessarily represent the views or opinions of Deloitte.