Commentary: Federal overnight of cybersecurity practices is coming
WASHINGTON (MarketWatch) — Hardly a day seems to go by without news of a cyber-attack or dire warnings about the vulnerability of our nation's critical computer networks.
Most people believe that the government must do more to regulate cybersecurity practices, particularly in industries that own or operate "critical infrastructure," that is, infrastructure that could cause significant disruptions or damage to our daily lives if subjected to a cyber attack.
The owners and operators of such infrastructure — for example, oil and gas pipelines, chemical refineries, transportation systems, financial institutions, hospitals, nuclear reactors, dams and agricultural infrastructure — will likely see more government oversight of their cybersecurity practices in the coming years.
What will such regulation look like? How will a company's cybersecurity practices and the ways in which it documents and implements them be affected by the increasing government oversight headed our way?
The electric industry can provide some answers to these questions. It has been living the reality of mandatory cybersecurity regulation since 2005, when Congress granted reliability authority to the Federal Energy Regulatory Commission (FERC), and it has learned a few lessons in that time. Cybersecurity compliance has proven to be challenging, and even in the absence of hacking incidents it is not without its perils. In the last three years alone, the FERC has issued nearly $11 million in civil penalties against industry members for violations.
For critical infrastructure owners and operators outside of the electric industry, new regulation seems to on the horizon. The White House is preparing a new cybersecurity executive order that sources anticipate will be issued in the coming weeks.
Although compliance with new standards would likely be voluntary, the White House is expected to incorporate incentives for companies to comply with those requirements.
More importantly, the new standards could serve as the basis for tort liability for companies who do not adequately protect their IT systems. Longer-term, it is possible that Congress will enact new legislation to give the federal government — probably the Department of Homeland Security — new authority to regulate the cybersecurity practices of critical infrastructure owners and operators.
Legal jargon aside, what should a critical infrastructure owner or operator expect to see in these new cybersecurity regulations? Here are some key issues that could present themselves under the new standards:
Identification and protection of critical devices
The electric sector cybersecurity standards require industry members to identify cyber devices that are essential to the operation of certain physical assets deemed critical to the operation of the electric grid: control centers, power plants, transmission equipment, among others. Responsible entities must then protect these essential devices using a series of overlapping measures as part of a "defense in depth" strategy.
Protection of such essential cyber devices ranges from the use of controls such as firewalls and intrusion prevention systems, to controlling who has physical access to these devices. The same model is likely to form the core of any set of cybersecurity standards used in other sectors.
Patch management
Electric utilities rely on a host of software programs to support their operations, and security patches for these programs are released on a daily basis in response to newly discovered vulnerabilities. Prompt installation of these fixes is critical, as an application that goes un-patched can quickly lead to hacking, malware infection, or the exfiltration of sensitive data or files. The electric industry cybersecurity standards require responsible entities to assess all potentially applicable security patches within 30 days of the release date and, in most cases, to install the patch if it is found to apply. This can be a demanding task, particularly since developers' practices vary as to announcing new patches. Patch management could be a feature of future cybersecurity performance requirements.
Configuration management
The installation of "back doors" by hackers and the exploitation of unguarded network access points are a threat to any company. As a result, the electric industry cybersecurity standards require detailed documentation of device configurations, including written justifications for all enabled communication paths. Given that a single device can have 65,535 logical ports and that a company may own thousands of computers and servers, this documentation can be voluminous.
Password management
Passwords don't offer much security anymore. Many simple passwords can be guessed in mere seconds using easily accessible, high-powered computers. As a result, any effective cybersecurity program requires passwords be of a minimum length, consist of a mixture of letters, numbers, and special characters, and be changed regularly. In addition, best practices include locking accounts after a certain number of failed attempts and storing account passwords in an encrypted format. Another password security feature becoming more prevalent is two-factor authentication, such as using tokens that generate a PIN every 60 seconds, which must be entered in tandem with the user's password. Password management requirements like these are probable features of upcoming regulation.
Recovery plans
No company can prevent all cyber-attacks or unauthorized access, so the ability to recover quickly must be a primary goal. Having incident recovery plans, and performing regular exercises of these plans to ensure readiness for actual incidents, may also be a requirement under a new regulatory regime.
The executive order is expected to center around a voluntary compliance program, but it's likely the federal government will eventually impose a cybersecurity regulatory framework similar to the one it already has in place for the electric industry. Owners and operators in newly regulated industry sectors should be mindful of lessons learned by this sector.
The cost of compliance can be significant but the cost of non-compliance can be even greater.
Originally published in The Wall Street Journal Market Watch on January 11, 2013.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.