I noted a number
of interesting statements at GridSecCon this year – as well as the Friday trip
to SecureWorks’ headquarters in Atlanta, which proved to be very interesting -
which I’d like to tell you about. I’ll gradually work through them as I get
time; I hope I’m finished by the next GridSecCon!
One comment
I found especially interesting was during a panel on natural gas security.
Robert Mims of Southern Companies is in charge of cyber security for their
natural gas division. He lamented the fact that his team consists of exactly
four people, while his peer on the electric side has “hundreds” of people
working for him.
What’s the
difference? He doesn’t face a mandatory cyber standard like NERC CIP. He had no
doubt that if he did, he would have a much bigger head count than he does (of course,
even if the electric side didn’t have any mandatory cyber standards to worry
about, I’m sure their team would still be multiple times the size of the gas
team. There are just a lot more moving parts on the electric side, and in
general I believe that the dangers of a cyber attack causing serious physical
damage in gas are much lower than in electric).
And this
goes to the real reason why mandatory standards are needed in some cases: the
flow of money from management increases substantially when there are penalties
to worry about (and I don’t think the monetary penalties are the biggest
incentive for compliance. I’ve always said that power companies would do almost
everything they could to avoid violations even if the “penalty” were a trip to
Disney World. The reputational, etc. damage is much more painful than the
monetary damage, in the long run).
So as much
as I complain about problems with the CIP standards, I don’t want to see
mandatory standards go away. However, I do think all security standards should
follow one Golden Rule: As much as possible, they should simply require the
entity’s cyber staff to do on their own what they would do if they received the
same level of funding as they now do with the current NERC CIP standards, yet
they didn’t have to comply with any standard. I contend they would “identify
and assess” their cyber risks (to use the words found in CIP-013 R1.1, which is
the best example so far of this approach), and mitigate the most important
ones. And they would mitigate them using the most efficient approach possible –
since they wouldn’t have to follow prescriptive requirements that inherently
aren’t the most efficient approach, sometimes not by a long shot.
In other
words, I would rewrite all of the CIP standards like CIP-013, although I’d make
improvements to that, and there are other considerations as well[i]. But if
you take away mandatory standards, you turn off the money spigot. Thus, a
number of NERC entities have freely admitted to me that they would never get
the same level of cyber funding as they do now, were it not for NERC CIP. Some
even admit to justifying purchases as being “required by NERC CIP”, when in
reality that’s not the case. But you didn’t hear that here, of course…
So tonight,
you should thank your lucky stars that NERC CIP is mandatory, not a voluntary
framework. As the Beatles said (in “Back in the USSR” from the White Album), “…(you)
don’t know how lucky you are, boys…”
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep
in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP
issues or challenges like what is discussed in this post – especially on
compliance with CIP-013. My offer of a free webinar on CIP-013, specifically for
your organization, remains open to NERC entities and vendors of hardware or
software components for BES Cyber Systems. To discuss this, you can email me at
the same address.
Exactly! NERC causes funding to flow to cybersecurity - that's a good thing. A clever leader can get both security and compliance out of those funds.
ReplyDeleteA number of vendors have told me that they appreciate having standards too, as, without standards, they're not exactly sure what they should build. So NERC CIP, frustrating as it may be at times, does give us at least something to focus on.