In a previous blog, I had touched upon the concerns that I had regarding the U.S. efforts at moving toward a consensus on how to secure N. America’s critical infrastructure, particularly in the energy and utilities markets. I believe the point of that blog was that many people were beating the warning drums, but fewer were offering up practical advice about how to counter the threats.
I recently read yet another article regarding the U.S. government’s “interference” in answering operational technology (OT) security concerns. The general thrust of the article was that the government was once again going to bumble their way into industries that it did not understand well and create more problems than it would solve by applying regulation in some form. The latest attempts in this arena involved the U.S. Cyber Security Act of 2012, which did not pass Congress prior to their latest recess. The article went on to underscore the belief that if the government would just ‘stay out of the way’, the private sector would self-regulate in the necessary fashion to ensure a secure critical infrastructure.
I am not here to debate whether that is true or not, though watching events over the last 4 years in the financial services sector leaves me a bit cynical about the ability of individual industries to look out for the welfare of the average citizen. What I DID want to say is enough already with the whining about critical infrastructure– how scary it is, how no one understands it, how government or industry is going to create an apocalyptic scenario if they continue on the current path. Here are some suggestions instead:
1- For the private industries, quit whining and complaining about how no one understands the trouble you’ve seen in security, and start cooperating to reduce the number of different forums giving advice (some of it conflicting). I’m dizzy trying to track the number of studies being released by government and private sector groups alike, some with different terminology for the same things, others with conflicting information (e.g. “The sky is falling!! No it’s not!! Yes it is! No it’s not!!). Try prioritizing your venues for communication and information dissemination and collectively establish authoritative voices about the nature of the problem, the current state, and what can be done to address the problems. If you want to avoid regulation, be consistent with how you describe the problem to Congress by agreeing upon credible, factual sources rather than fighting it out in the media. You may not like the idea of government regulation, but at least they appear to be TRYING to do something, however misdirected you may feel it is;
2- For the government, quit your bickering over who’s in charge and sort out a strategic hierarchy. Bring some consistent to YOUR studies and reports as well, and come up with a taxonomy of which study is for which purpose and which group or infrastructure. In the case of energy and utilities, decide what the roles of DHS, ODNI, DOE, NRC, FERC, NIST (to name just a few), the White House, and Congress are and be clear about it. I know this isn’t likely to happen until after the election, but perhaps we can set this as an early goal for the next administration. In addition, quit changing the NERC CIP regulations long enough for consultants, integrators, and the companies affected by those regulations to have a stationary target. Most important of all, work with private sector to ensure that you’re ALL drawing upon valid, credible, scientific sources of information from which to make decisions. Relegate questionable media reports by agencies that don’t have knowledge or awareness of the specific industries affected to their proper place in the decision process;
3- For all involved: we continue needing refinement to the common language we use about operational technology security and to agree upon the major issues we must address. We need to agree upon what obvious priorities are, i.e. what are the basics that can be done TODAY to take incremental steps to improve security for our critical infrastructure (such as ensure that basic security policy is in place and APPLIED, and that organizational requirements be identified and established early so training can commence, for example). Most importantly, we need to understand WHO IS IN CHARGE for the particular priorities identified, and what being in charge means from a governance and program perspective.
As my wife often says, it’s time to put your big boy pants on and act your age. It’s possible to sort out major issues related to critical infrastructure protection if the grown-up willingness to admit something must be done and someone must be able to lead and coordinate the effort. The rest should follow. I know it sounds easier than it really is, but it isn’t going to solve itself by wringing our hands or whining about who’s in charge.
Category: Uncategorized Tags: