« What is a “cyber security incident?”
This week in Infosec - 2008-08-10 »

Regulation, but only if done correctly

Joe Weiss is a big fan of strong regulation to help improve critical infrastructure security in the US.

I agree that sweeping regulation can be a benefit in certain situations.  For example:

  1. When there’s a need to make a large cultural shift
  2. When there’s a need for consistency across a sector
  3. Safety reasons

Now, I’m not as plugged in as Weiss is, and I’m not sure the scope of the NERC CIP’s or the history of regulatory work coming out of NERC and FERC, but I do have a fundamental belief that Federal agencies do few thigs well.

I believe that good Federal regulation should be:

  • Performance based
  • Easily verified
  • Consistent

Regulation must be performance based, rather than solution specific.

As Joe pointed out, a checklist isn’t going to motivate a significant change.  The result will be to do only what is necessary to meet the items on the checklist.

If consistently improving security is what is desired, then the basis of the regulation must be performance based.

As an example, “the control network should not be impacted by events on the business network.”

Regulation should not be created in a moment of panic.  We all see the kinds of things that come out of panic… Think, TSA :(

Regulation should also be verifiable.

There must be a consistent way to measure compliance with a regulation.

For example, “compliance can be verified by ensuring the control network can withstand a targeted attack by a knowledgeable adversary.”

Regulation should be consistent.

There are two branches here.  Obviously, regulations should not create a situation where compliance with one places you out of compliance with another.

But more importantly, regulations should be consistent across sectors.

For example, there should be a set of regulations that cover power production or the energy sector at large.

Though there is institutional reasons why this would be hard to achieve (think NERC v NRC), there are substantial benefits to having a consistent set of regulation.

There are many power producers that own both Nuclear and fossil based power facilities.

A consistent regulatory body gives them to optimize their processes, procedures, and project pipelines.

Each production type that has unique characteristics can be supported by additional regulation.

Bill

This entry was posted on Sunday, August 10th, 2008 at 6:18 am and is filed under Control Systems. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply