Compliance with regulatory requirements are not enough to protect the US electric grid |
Many companies use compliance and best practices to assist in their fight to protect the U.S. electric grid.
They rely primarily on what three groups say – FERC (Federal Energy and Regulatory Committee), CERT (U.S. Computer Emergency Readiness Team) and NERC (North American Electric Reliability Corporation). These groups issue advisories, standards and guidelines for the industry, while independent vendors provide electronic devices meant to harden security.
Todd Borandi, CISSP, an industry veteran and information security architect, points out that “Companies have mapped controls from one set of compliance rules to sets of security best practices, but that effort does not create a cyber-security solution; it creates a compliance solution with a checklist of boxes to be ticked off once a control can be verified by documentation as being in place.” As a byproduct, Borandi says, “There are teams of so-called security professionals who are nothing more than compliance auditors and who focus on the “what” not the “how.”
Treating compliance rather than cyber security problems
He considers this reinforced behaviour because the “audit drones,” as he calls them, are “the auditors who have been seasoned by four years of outdated book knowledge in college and get their first job as a Junior Auditor with a large firm. The firm gives these young people access to a single seasoned auditor (usually managing half a dozen projects) and then a quick review of what checklist to use and questions to ask before being sent into the field to evaluate complex networked environments that are running processes, protocols, and tools they never learned about in college and that are not on their list of questions.”
As a result, Borandi continues, “Some organisations are treating compliance requirements rather than focusing on cyber security problems and solutions. These businesses feel they have no power to force the vendor’s hand to produce reliable and secure hardware or software, so they fall back to something they can attempt to protect—the organisation’s bottom line.” Result: Money and man hours are spent to ensure that compliance and audit requirements are met rather than to increase the security posture or address the real cyber security risks to the business.
“Pressure should be focused on regulations for those vendors providing the products protecting our critical infrastructure”, says Todd Borandi, CISSP, an industry veteran and information security architect. |
Borandi says “Pressure should be focused on regulations for those vendors providing the products protecting our critical infrastructure,” because many of them are produced in the same foreign countries that are attacking us.
Finally, and he emphasises this: “Compliance with regulatory requirements is NOT security.”
To be fair, some utilities are being proactive and taking the reins. One is Central Maine Power, which is spending $1.4 billion to secure some of its vulnerabilities. Maine, according to an independent report, has a “significant vulnerability” to severe geomagnetic storms, and the state knows it may have to spend more to harden its substations and transformers.
CMP maintains 2,300 miles of transmission lines and 300 substations that connect utilities in New Brunswick, eastern Maine and southern New England, much of it in remote territory, so cameras of all stripes were critical. Card readers limit access, and warning signs are prominently placed, as are the cameras. Will they help against a natural event? No. But it’s better than a wall.