Should the water sector follow the cybersecurity path of NERC CIP?
Water is essential for life – in so many ways.
It’s so essential, we should do whatever is necessary to have a safe, reliable, and secure water/wastewater system, right? But from what I have seen professionally as a consultant in addition to the many public reports, we’re far from it.
So, what is necessary to secure the water sector in the US?
I recently came across an argument for using the NERC CIP Standards as a model for the water sector. I am not convinced the NERC CIP path is the right choice.
One of the key points in the position for using the NERC CIP approach, is “if the sector helps draft the standards that they know will be enforced against them, they will be supportive of the enforcement system that ‘holds the stick’ over them to create accountability.”
Sounds great at first and makes perfect sense. If you get to be part of the design of the regulation, you’ll be more likely to support and adopt it. The regulation can therefore be “created by the industry for the industry.” For this very reason, this method is used to get regulation introduced into unregulated or regulation-resistant sectors.
Even having an industry-friendly intermediary such as NERC performing the monitoring and enforcement kept the industry further distanced from the “real” regulator – FERC. This same model is being proposed where a Water Risk & Resilience Organization (WRRO) would keep water utilities another layer away from the EPA – who holds the ultimate regulatory authority for the sector.
The challenge is what comes next...
If the electric sector is any example, it has shown that self-regulation is hard. Few companies are willing to come out and openly draft (much less endorse or vote for) expensive and restrictive security requirements for themselves and their industry peers.
Why?
Because security is a perpetual treadmill of technology, process, and people. It’s also very expensive to implement and maintain. It doesn’t get easier or less resource intensive over time. Most water utilities barely have the financial and human resources to just keep the water safely flowing. Going beyond that, especially into the costs and effort necessary for the high-security expectations of a critical infrastructure segment, simply isn’t feasible with their current budgets.
Not only is this currently financially unimaginable for the water utilities, a new regulatory oversight layer such as the WRRO would also need funding. Would that come from the sector participants or some other budget?
Another concern is that of yet-another-custom-security-regulation. This means the consultants and auditors will need to become versed in yet another framework. It also means compliance management software solutions/modules will need to be created to match. In turn, this results in specialized expertise and tools that are now more expensive because they are tailored to these unique rules in this unique sector with a finite number of customers. Another artificially exclusive market is created.
Who pays for this?
Yes, water infrastructure and business is different than electric or gas – and we already have unique regulation (or at least quasi-regulation) for them. But is water so different that it can’t work within something like IEC 62443 or NIST 800-53/82? Honestly, I have the same question for electric and gas. Isn’t it time to normalize for all the sectors?
Does each sector really need their own special regulation?
More variation in industrial control security standards means it is harder to measure and compare. Each new standard must be mapped to the others which is arbitrary and imperfect, at best – and often a one-way exercise. If a “larger” control is broken down into “smaller” controls when mapped from standard to standard - or the reverse - going backward for comparison is virtually impossible. This is compounded when mapping more than two standards to each other.
At some point, the federal government will decide to measure a common baseline of security controls across all the most critical infrastructures. Officials are asking the obvious question “how secure are we as a nation?” We need a better answer than “it depends…”
The Biden National Security Memorandum was clear in this message, so this idea is already being discussed for electric, gas, chemical and water/wastewater. Wouldn’t it make more economic sense to settle on one industrial control security standard so everyone can report the same, using similar tools, similar controls, similar advice and audit guides, and even similar monitoring and reporting?
If I am a municipality (or a private company) trying to comply to regulations affecting all of these different infrastructures, my answer is “YES.”
If I am a government agency trying to measure infrastructure security for all sectors, my answer is also “YES.”
Financially this makes the most sense. It is the most portable, scalable, measurable, comparable, and feasible approach if you go beyond a single critical infrastructure sector.
NERC CIP moved the needle for the electric sector when the idea started 20 years ago. Today’s landscape of industrial control security standards has come a long way since then. So has our understanding of how to regulate cybersecurity. It’s time to think about this problem differently – and with an understanding of the spectrum of costs and resources needed for success. As much as I would love to see more security in the water sector, understanding the pitfalls of the NERC CIP path is imperative before just dropping into the rut it created.
We can learn from the electric sector’s experience and do it better in the future.
