“Security is too important to be left to compliance.”
Jim Brenton of ERCOT thusly encapsulated the security-versus-compliance dichotomy at the recent Managing SCADA Security Risks conference. But is this truly a dichotomy or just two distinct objectives with quite a bit of overlap?
The history of Smart Grid compliance does not confidently promise a high degree of security. The first round of NERC CIP standards required utilities to self-identify their Critical Cyber Assets (CCAs). After careful consideration, 73% ascertained that they had no CCAs. Then CIO of NERC, Michael Assante, wrote to utilities in a now famous memo that they may have been unrealistic in their self-assessment.
Yet, every utility that I have spoken with wants a secure grid. All have constrained budgets. And legal counsel will avoid making commitments unless required. Regardless of your stand on security, avoiding commitments whenever possible is sound business practice. We security purists often forget that.
So we watch as NERC CIP evolves in fits and start through a morass of 500 member work groups, stakeholder foot-dragging, and the familiar diet of politics and procedures. Andy Bochman of IBM provides an excellent play-by-play of CIP development in his Smart Grid Security Blog. Generating excitement about a process that moves at glacial speeds is no mean feat, but Andy manages it.
And yet – compliance is a good thing. Without NERC CIP, would utilities be even as secure as they are now? Doubtful. Without compliance as a driver, would cyber security even exist as an industry after the recent recession? Improbable. Many software markets faltered during the downturn but security ploughed right on through. Auditors don’t get a holiday during a recession.
So which to choose, compliance or security? I have news for you: The answer is “both.” It’s all a matter of approach.
Compliance is typically a top-down driven activity. Laws or regulations arrive, corporate legal advises whether or not they are relevant, and the minimum necessary activity for compliance is undertaken. Again, this is sound business practice. There is no sane reason to overspend on compliance.
Security is a bottom-up activity, starting with an assessment of risks for key assets. This assessment then forms the basis of a security program. The highest possible impact risks are addressed first and the lowest impact risks are most likely never addressed because funding is exhausted before reaching that point. Employee awareness training is also a key but an often-neglected element of effective security.
The difference between compliance and security is evident. Compliance is a one-size-fits-all undertaking. Security, meanwhile, is custom-built for each enterprise. Compliance starts at the 50,000 foot level and offers some high-level assurances about the overall operation of a system. Security starts on the ground and works its way up to provide due care against the risks most likely to inflict damage upon the enterprise.
You need both.