Checklist v. Risk Based OT Cybersecurity Regulation
Dale Peterson
ICS Security Catalyst, Founder of S4 Events, Consultant, Speaker, Podcaster, Get my newsletter friday.dale-peterson.com/signup
Why Checklists Win
Talk to most security professionals, OT and IT, and they'll tell you that applying a checklist approach to security controls across an industry sector makes no sense. Compliance to a standard or regulation does not equal security. Each company should take a risk based approach and implement security where needed to reduce risk to an acceptable level.
So why are most OT cybersecurity regulations a list of required cybersecurity controls? Checklists? Because both regulators and the regulated companies prefer checklists.
Regulators like the checklist approach; a list of specific requirements that are representative of consensus good practice. You, regulated entity, must have all of these security controls in place. Why do regulators like this?
What's less obvious is why the regulated companies, the asset owners in the OT world, prefer checklist regulation over risk based regulation.
First, let's take a step backwards. Many OT security professionals do not prefer the checklist approach. We go on about how this whole swath of security requirements makes no sense in our environment. They do nothing to reduce risk and are costly in time and money.
Security professionals and, to an even lesser extent, OT security professionals don't matter a lot when it comes to regulation. The people who matter are the executives and their minions who talk with the regulators about a win-win regulatory framework.
领英推荐
They prefer the checklist approach. Why?
The executives have to manage all sorts of risk including regulatory risk. The best way to reduce regulatory risk is to not be regulated. This is the first choice. If no regulation isn't an option, then as little regulation as possible.
This is not saying executives don't care about OT cyber related risk. If they are convinced of an unacceptable risk they will fund and demand action. If you're not getting action, it means you haven't made a compelling case to executives whose job it is to manage and accept risk.
A regulation introduces a new risk. Regulatory risk that can result in fines and worse. Executives must deal with this regulatory risk, and they want the simplest and least costly way to manage this risk. A list of specific security controls can be met with much more certainty than a risk based regulation.
Additionally, imagine the case where a regulated asset owner is compromised with a major impact on customers, citizens or stockholders. If you have a risk based approach for regulation, the regulated asset owner's approach was lacking. An unacceptable consequence event happened when they said a list of controls they determined to be appropriate did not stop the incident.
If there was a checklist, the regulated asset owner can say we followed good practice as specified in this regulation.
There is some overlap in what is done to meet OT security regulatory risk and OT security cyber risk. This is a positive. Unfortunately what we saw with NERC CIP and other regulations, is meeting the OT security regulatory risk soaks up all the resources. The best OT security cyber risk management actions can be discarded or delayed if they are not a regulatory requirement.
If you know of any risk based OT security regulation please put it in the comments. Don't include things that have different checklists for different size or criticality systems, like NERC CIP. This multiple checklist approach is better, but not really risk based.
Product Manager with 20 years' experience in an international environment leading product teams to success
2 个月The "EU network code on cybersecurity for the electricity sector" (applies to cross-border exchanges only) mandates that European TSO's select a common risk assessment methodology, make a risk assessment and then propose the list of controls.
OT Cybersecurity Analyst for Liberty Utilities
2 个月To me the checklist approach is a starting point for many companies and organizations it provides direction when they are trying to wrap their hands around this issue. After that, it’s helpful for audits - not checklist. Did anything change that wasn’t supposed to. After that, executives have a decision to make. Do I want or need to protect my assets? The regulations and checklist don’t do that. They baseline you is all. Protecting an asset involves engineering controls and cyber controls, something the regulations are seriously lacking. Fundamentally any form of security is a constant vigil. It’s not a one and done. Outside this - it helps regulator entities with additional reveneau for certifications, approved auditors, so a hole industry is formed off the compliance machine, and yes regulators benefit from this churn. So do companies. But in no way does this equate to properly protecting an asset.
RCO
2 个月Hi Dale. International and inter-provincial pipelines in Canada are regulated on a risk basis. The Onshore Pipeline Regulation (https://laws-lois.justice.gc.ca/eng/regulations/SOR-99-294/index.html) references CSA standard Z246.1 (https://www.csagroup.org/store/product/CSA%20Z246.1%3A21/) That specifies having a risk based management program. The standard is free in Canada. Happy to discuss how it works and how well it is working!
SCADA Integration and Security Engineer
2 个月https://scadamag.infracritical.com/index.php/2020/04/20/the-forgotten-aspects-of-ics-security/ I wrote that over four years ago. We will NEVER be able to secure the systems we use with checklists until we deal with the incredible complexity that our current OT platforms have. To illustrate my point: If someone informed you that the flamigaster on the froobiz line has trended toward negative goinometrics, what shall we do about it? Well, first we have to know what flamigasters, froobiz lines and goinometrics are and how they interact with each other. And that's exactly what today's operating systems and application software look like to most Engineers, Operators, and let's be totally honest: OT staff too. Nobody understands the entirety of what is going on. We are in dangerous territory where the complexity is too high for someone to defend it comprehensively on swing shift staffing. Yes, that's true even if you do have complete visibility. Something has got to give and that something is complexity. We need to go back to simpler computing systems. Checklist security is like trying to craft a swim suit with minimum fabric: It might cover a few essentials, but it will never be appropriate for everyday use.
Cybersecurity Services - Team Lead - EMEA North at Rockwell Automation
2 个月COMAH legislation in the UK is risk based, it is regulated by the Health & Safety Executive of UK Government. The guidance is specifically focussed on preventing major accidents (MA) or loss of essential service (LES).