On cybersecurity, experts agree: Compliance with standards is not enough

Industry experts appearing before the Senate Energy and Natural Resources Committee hearing on cybersecurity and the grid July 17 agreed that cyberscurity standards are important but that, by itself, compliance with such standards is not enough to protect the nation’s critical infrastructure.

In his prepared remarks, Gregory Wilshusen, director of information and technology for the Government Accountability Office (GAO), told the panel that the GAO had identified, “a focus by utilities on regulatory compliance instead of comprehensive security” as one of the ongoing challenges to grid security.

“Perhaps standards should not be spelled out too specifically, or utilities get into this compliance mode of trying to meet the standards instead of safeguarding the systems,” Sen. Lisa Murkowski (R-Alaska) said. “We want to push everybody to be one step ahead of the guys that are trying to disassemble things, so we don’t want to get them focused on just checking the boxes off; we need them to be thinking ahead every single day.”

The head of the NERC agreed.

“If we’re going in with a check-list style of compliance, it’s not going to be helpful,” NERC president and CEO Gerry Cauley said. “The most effective standards will be based on risk controls, setting up systems to catch issues that need to be identified, not on prescriptive line-by-line, rule-based type standards.”

“We want people reporting information actively,” he continued.

“No one can live in isolation,” Joseph McClelland, director of FERC’s office of electric reliability said. “If there’s connectivity, there needs to be minimum protocols and there needs to be sufficient information sharing so that everyone is able to move ahead of the threat. I think the standard needs to compel action but provide the latitude that the individual entities might need to address the issue on their systems.”

Wilshusen agreed: “Standards need to be flexible and not overly prescriptive.”

The sole state representative on the four-person panel said standards that allow a flexible approach to problem solving could potentially serve to keep cybersecurity issues more isolated than a common approach across a system.

Todd Snitchler, chairman of the Public Utilities Commission of Ohio (PUCO), said a diverse problem-solving approach has the potential to keep an entire system from being knocked out because looking at more than one set of solutions will require “far more effort on behalf of those who would … seek to damage the grid.”

More cybersecurity experts needed

To develop and implement both standards and hands-on methods for keeping the grid secure and responding to threats, Sen. Mark Udall (D-Colo.) asked the panelists if they thought the nation would “be more secure with additional and better-trained cyber warriors?”

While the panelists agreed that, “more, and well-trained, cybersecurity people are something that we all need,” McClelland also noted, “These folks are scarce as hens’ teeth. In many cases, we steal them from each other.”

Others recommended leveraging military experience and training.

“Our utilities in Ohio … have had good success in dealing with people who are used to dealing with top secret security clearances and higher on issues of this nature at the utilities,” Snitchler said. However, he added, skilled professionals are in short supply and high demand, and companies are working hard to find them.

Information sharing key to future success

Responding to how the electricity industry could improve the information-sharing, Wilshusen said, “Have a mechanism in place in which the industry can collect information about security incidents and vulnerabilities … within the industry, and then be able to share it with other members, but after it’s been anonymized … so as not to put other companies in peril.”

Another key area is the need to receive important information from federal sources including NERC and FERC as well as the intelligence community about threats that are occurring and vulnerabilities that are happening, the panelists said.

“Many of the threats are international in scope needed, that’s an area that’s of prime consideration and concern,” Wilshusen said.

NERC’s chief said his agency is working on developing more ways to share information.

“We need to create … centers, perhaps in cooperation with FBI offices … where we can quickly get very detailed information at the classified level to people in the industry who can understand, at a very granular level, ‘What is the threat, and what actions should I take?’,” Cauley said.

Snitchler also called for more efficient information sharing.

“We can be implementing best practices and avoiding each individual company having to uncover and discover the same problem and work their own solution,” he said, supporting suggestions for a clearinghouse of known issues.

Echoing concerns about the existing approach leading to standards becoming a ceiling instead of a floor for the level of cybersecurity, Sen. Chris Coons (D-Del.) asked what could be done in terms of standard-setting and internal partnerships that would strengthen an approach to comprehensive security rather than focusing merely on compliance.

“It’s going to be important that each agency have an effective program for assessing the risks and then taking the appropriate steps to implement the appropriate controls to mitigate that,” Wilshusen said. “That would include not only assuring compliance with standards, but also taking other actions as determined necessary by the facts and circumstances.”

Wilshusen continued: “Are we sharing lessons learned? Are we sharing relative intelligence? Is it actionable intelligence so that folks can see what’s happening, they can learn from their neighbor and they can put the security in place? Because the threats are moving at lightning speed.”