Although regulations may feel like a burden, their influence should be viewed as wholly positive. Firstly, they establish norms and standards, a baseline for good practice which individual companies can use to set their own benchmarks. Secondly, they raise public awareness of these standards so that customers can hold corporates to account when they don’t meet them.
When it comes to critical infrastructure, there are many international bodies that have developed regulatory frameworks and standards for OT cybersecurity. They all differ slightly, but the overall aims are the same: to promote best practice security standards and ensure that they are followed with a punitive enforcement regime for those who fail to meet them.
This global corpus of laws is evolving and is predominantly led by the EU with its Network and Information Systems Regulation 2018 (NIS Directive), and the US. In the latter, the NERC Critical Information Protection (CIP) standards, which can be used to impose fines of up to a million dollars a day for security breaches in the power industry, are among the best-established cybersecurity rules in the world, while newer initiatives such as the NIST Cybersecurity Framework are more comprehensive.
Other countries are also implementing their own regulatory regimes: standards have been published in Canada and Qatar and are under development in Russia, South Africa and Korea, to name just a few. A finalised draft of the Critical Information Infrastructure Protection Regulation (CIIPR) in China is expected soon .
What this means is that for providers in sectors such as power, oil and gas, water and chemicals, regulatory compliance with cybersecurity standards is no longer a choice. If you’re not preparing already, you will fall foul of enforcement when it commences.
Differing regional approaches to legislation
Navigating transnational regulatory regimes, however, does promise to be a challenge. Right now, the prevailing wind seems to have swung sharply against harmonisation. International tensions around geopolitical conflicts and IP protection are high, highlighting the importance of being sensitive to local requirements.
Even within the EU, for example, there are subtle but important ways in which the regional interpretations of the NIS Directive will impact businesses. The relevant authorities who oversee implementation in the UK, Germany and France all require different types of risk assessment and processes. Some of Europe’s largest economies, meanwhile, are still in the process of fully integrating NIS into local laws.
And even where strong oversight does exist, meeting the standards required by the regulator is just the start of creating truly secure environments. A report published in May by the Computer Security Research Center in the US found that despite regulations, current manufacturing incentives are still skewed towards reducing time to market rather than state-of-the-art protection. Businesses aren’t taking the initiative and using the wider selection of tools and techniques at their disposal.
Even so, regulations are helping to raise awareness among senior decision makers in organizations about security and accountability, and they are becoming more willing to engage in long term strategies to improve security. Conversations in boardrooms have successfully moved from one in which security officers had to fight for small portions of an overall IT budget, to one in which senior management is proactive about releasing budgets for resources and security initiatives before projects are undertaken.
No business wants to face production downtime or reputational damage stemming from a cybersecurity incident, especially when it could be followed by a large fine imposed by a regulator. And as public awareness increases, so too stakeholders and investors are perceived as being more likely to hold management to account in the event that a network was compliant but still, in their eyes, not adequately secured.
Compliance does not equal security
So where should those decision makers be focussing their efforts to improve OT security? Practically, there is plenty of guidance and understanding around the importance of “security by design” and what it means, and the technical tools for risk assessment and mitigation are widely available and understood. The expertise to independently identify and address threats exists in the marketplace, even if it can be a challenge to provide through internal resources.
More fundamental, however, is the need for wider culture change within organisations. It’s not enough that OT security practices are seen as a concern for internal and external specialists only, and don’t impact workflows and routines outside of professional silos. Cybersecurity and awareness are the responsibility of all employees, and better ways of communicating the risks and challenges have to be developed.
There is a strong precedent for this: occupational health and safety regulations have been successfully integrated into workplace culture for decades, thanks to a combination of regulations, compliance officers and ever improving methods of communication that focus on understanding and adoption of best practices among the general workforce. The same initiatives and processes applied for physical safety need to be applied to OT cyber security, and they will have the same effect.
The good news for decision makers is that by building coalitions with security practitioners and fostering this internal culture, the question of compliance itself will become an almost moot one. It’s an area in which it pays to be ahead of the regulator, because if you’re aiming to be truly secure then you’ll already be meeting many of the key requirements of any local law.
Compliance doesn’t necessarily mean security, but adopting cyber security best practices can certainly help achieve compliance.