Legislation, Executive Orders, the SEC and Trial Attorneys: The Drivers of a Massive, New Federal Regulatory Program
CRE has been following cyber intrusions into critical infrastructure for nearly a decade and was always of the view that such intrusions were a precursor to a new wave of federal regulation. Well after these many years the signs of the tsunami are finally occurring. See these actions by the trial attorneys,
An immediate remedy is to develop a “safe harbor” which will define the line between reporting and not reporting intrusions to a federal body.
Other remedies include actions which will ensure that the SEC adheres to the “good government” laws which “regulate the regulators” when they require public disclosure of intrusions into the network of a critical infrastructure.
CRE encourages all of our readers to express their views on this important matter on this website.
Utilities’ cyber survey may be model for other industriesDec 04From:
Federal Times
By NICOLE BLAKE JOHNSON
White House effort to improve the cybersecurity of the nation’s commercial power grid could soon be expanded to other critical sectors, such as transportation and water.
The Energy and Homeland Security departments kicked off the initiative, known as the Electricity Sector Cybersecurity Capability Maturity Model, this year as an effort to assess and improve the security of thousands of utility companies.
A key component of the initiative is a self-evaluation survey of more than 300 questions that helps utilities evaluate their cybersecurity, identify gaps and plan how to mitigate risks and implement necessary changes.
Questions
Among the questions asked, for example, are whether:
• Cybersecurity requirements are considered when establishing relationships with suppliers and other third parties.
• Personnel vetting, such as background checks and drug tests, is performed at hire for positions that have access to electrical delivery assets.
• Training programs are aligned to support cybersecurity workforce management objectives.
The model “provides a common framework to have a discussion about [cybersecurity],” Matthew Light, an Energy Department program manager working on the initiative, said at a Washington event last week.
In public-private partnerships such as this one, Light said the government often comes to the table and tells industry it needs to improve cybersecurity, but doesn’t fully understand the security that companies already have in place or what they must improve.
“The survey provides a set of practices that we can all point to and understand,” Light said.
In April, 17 companies piloted the tool, including Dominion, one of the country’s largest power companies. In the summer, the survey tool was released to all electric companies.
The White House and DHS now want to expand the model to other critical sectors, said Samara Moore, the White House’s cybersecurity director for critical infrastructure. Moore was Energy’s lead manager for the initiative before moving to the White House.
Mark Engels, director of enterprise technology security and compliance at Dominion, said the survey tool can be effective if companies are honest with themselves about their cybersecurity capabilities.
He said the survey results helped Dominion better prioritize funding for cybersecurity.
Engels said the model goes beyond the basic cyber practices required in regulations.
The goal, he said, is not to make the survey serve as another form of regulation, but to improve cybersecurity programs.
Data concerns
The challenge is figuring out how to share company survey results with the government, to ultimately determine the security of the electric grid. Companies want to ensure their data are not misinterpreted, Engels said.
There are also concerns about how, where and for how long data would be stored and how it would be protected.
For now, participating companies share that information with industry associations, such as the Edison Electric Institute, and the survey results are sanitized to show overall trends without identifying company names, said David Batz, director of cyber and infrastructure security at Edison.
The organization tries to facilitate information sharing and best practices among its members