Monday, October 7, 2019

Upcoming webinar: How can we regulate cybersecurity for critical energy infrastructure?



I will be conducting a webinar on November 7, 2019 from noon to 1:00 PM Eastern time, with the above title. The webinar is sponsored by Henry Stewart Publications in the UK, who solicited and published an article of mine titled “How can we effectively regulate grid security?” in their publication Cybersecurity: A Peer-Reviewed Journal early this year; I described that article in this blog post. While that journal doesn’t publish its contents on the web, if you would like to read the article, you can email me and I’ll send you a (perfectly legal) proof copy of it (of course, it’s a good publication and you might want to subscribe. If you do, I’m sure you would receive the edition with my article).

The article identifies five serious problems that I’ve identified with the NERC CIP standards; I’ve been writing about these problems for years, but I had never discussed them all in one place. The article did that, and also briefly described how I would address those problems if given the chance to completely rewrite the CIP standards. The webinar will differ from the article in two ways:

First, the focus will be how I would write cybersecurity standards for any critical energy infrastructure (CEI), not just the power grid. Of course, the most serious effort to date to regulate cybersecurity for CEI to date – anywhere in the world – is NERC CIP, and I will constantly be referring to the lessons that have been learned from the CIP experience.

Second, since I first wrote the article in May 2018, I’ve come to realize there’s a sixth serious problem with CIP that needs to be addressed. In fact, I now think it’s probably the most serious problem of all, and its importance will keep growing in coming years. Not to keep you in suspense, that problem is the fact that NERC entities can’t put BES Cyber Systems in the cloud. Of course, information about BCS, known as BCSI, is now being put in the cloud by many entities, and that activity will without doubt be “legalized” in CIP in a couple of years. But a NERC entity that put a Medium or High impact BES Cyber System itself in the cloud – e.g. outsourced SCADA – would find itself being cited for a violation of just about every CIP requirement.

In fact, addressing this sixth problem isn’t just another “checklist item” that must be addressed in a different framework for CEI cybersecurity standards; it will literally have to be baked into the foundation of those standards. The standards will need to address both cloud and physical systems at their core, and it can’t be simply through an adjunct that will bolt a cloud-based framework onto a physical systems-based framework (as some have suggested as a solution to incorporating cloud-based BCS into CIP).

I hope you’ll join me for this. The signup link is here.


Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013. My offer of a free webinar on CIP-013, specifically for your organization, has received a great response, and remains open to NERC entities and vendors of hardware or software components of BES Cyber Systems. To discuss this, you can email me at the same address.


No comments:

Post a Comment