The big debate now seems to be: Can any industry, let alone an individual company, actually provide a level of security (physical or cyber) consistent with national security requirements?
Jesse Berst in a recent article quoted the CEO of the North American Electric Reliability Corp (NERC) Gerry Cauley as saying,
“The notion of … a single government agency giving an order to direct changes in the grid is extremely dangerous.”
I don’t know where Mr. Cauley gets this idea, but I can guess. My guess: it’s simply the consensus of those that NERC represents — the owners and operators of the bulk power system. My next guess (less of a guess and more deductive reasoning) is that any regulation costs money and the rate paying public may not be convinced of the need. This reality should be reflected in public policy, but at some point we simply must accept that secure systems (e.g., the grid) are more costly and less convenient than equivalent insecure systems (“Langner’s Law”).
I would further argue with Mr. Cauley about the extreme danger of a single government agency giving orders to the private sector. Let’s take the Nuclear Regulatory Commission (NRC) for example. Did you know that while input is solicited from all comers, the NRC’s rulemaking process is NOT consensus based? Did you know that the NRC, when rulemaking is too slow and the threat to the public is too great, issues orders to direct changes at nuclear power plants? In other words, that which Mr. Cauley fears most, actually works well when it comes to protecting people and the environment from nuclear incidents. It seems to me that we already have a model for how to regulate cyber security for critical infrastructure and it’s up in Rockville, Maryland.
The clock is ticking on additional regulatory measures should the current crop of Executive Orders, Presidential Policy Directives, Cyber Security Frameworks, and a litany of industry standards and best practices fail to enhance the cyber security of our nation’s critical infrastructure. I addressed this in more detail in a recent whitepaper A Cost-Efficient Approach to High Cyber Security Assurance in Nuclear Power Plants: “If an industry led effort is not deemed adequate by the industry regulatory body, then additional regulation is likely to ensue.”
In Franklin D. Roosevelt’s own words “So first of all let me assert my firm belief that the only thing we have to fear is fear itself—nameless, unreasoning, unjustified terror which paralyzes the needed efforts to convert retreat into advance.” FDR inauguration, March 4, 1933.
I don’t suggest to brush aside the fear as unfounded or even unreasonable. Rather, take measure of the fear and press on. Clearly, what’s been done has not worked so well and it’s time to try something different.