Some Areas of General Agreement Shown in Filings on Updating DHS Cybersecurity Framework
Areas of general agreement among industry and state officials on cybersecurity included that the Department of Homeland Security should continue to emphasize cooperation between various companies and agencies in updating its framework, and a risk-based approach should be used, said some filings posted Tuesday. In addition to the Telecommunications Industry Association, which urged such cooperation (CD July 9 p12), the Edison Electric Institute (EEI) and National Association of State Energy Officials (NASEO) sought coordination among various stakeholders. Under President Barack Obama’s February directive on cybersecurity, which accompanied his executive order, DHS has until later this year to update the 2009 National Infrastructure Protection Plan, the department said in a June request for comment (http://1.usa.gov/13JMGUz).
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
The updated NIPP should include a role for states, which have “expertise and capability” to “ensure a robust plan to ensure a resilient energy system,” said NASEO (http://1.usa.gov/185hOx3). State energy offices and public utility commissions “should be engaged in addressing cyber security threats and working with the private energy sector on mitigation efforts,” said the association of governor-designated energy officials from all states and territories. “Consideration of cybersecurity needs to be a standard element in the deployment of computer systems used to support and operate energy delivery systems.” More than 40 percent of the 198 cyberincidents reported to DHS’s Industrial Control Systems Cyber Emergency Response Team in FY 2012 involved energy companies, said NASEO.
NASEO has been working “closely” with NARUC on energy and cybersecurity issues, said Jeff Pillon, NASEO director-energy assurance, in an interview. “NARUC has been very active in pursuing enhanced capabilities within public utility commissions in improving their ability to address cybersecurity.” While “communication in the sharing of information has significantly improved,” there is “room for further progress,” said NASEO (http://1.usa.gov/185hOx3). “DHS and state fusion centers need to recognize the important role state-level sector specific agencies play in not only providing information, but also improving how information is shared at the state level among state agencies."
"PUCs are basically asking a lot of questions of their utilities” about cybersecurity, said a NARUC spokesman by email. “Some have formed ’teams’ to address cyber security and make sure their commission and regulated utilities are focused on it. The responsibility for securing the utility system lies with the utilities themselves, but our members are the ones who will determine cost recovery for safety expenditures.” A team of NARUC officials led by Director-Grants and Programs Miles Keogh will have visited 30 states by mid-July to hold workshops and other events on cybersecurity, said the spokesman. He noted that in February the association released a report on cybersecurity. It advised state regulators to develop expertise in the area, engage in public-private sector partnerships, “explore the integrity of their internal cybersecurity practices” and ask “good questions of their utilities” (http://bit.ly/13zChvO).
Risk management is needed and the NIPP should reflect that, said EEI and NASEO. The guidelines don’t need “significant conceptual changes” and rather should have a “shift” in implementation to not cause “distraction” from risk management, said NASEO. That has “left states and local governments without clear direction on how to best determine what should be seen as critical infrastructure at the state and local level,” it said. NASEO sought “a more flexible approach” for companies “to determine the relative importance to their overall risk profile” and let the “public sector to understand the private sector systems’ operations, capacities, supply chains, and interdependencies.” The revised NIPP probably won’t much change the risk approach, Pillon told us. There’s a “dilemma” of how to measure “relative risk” across industries, he said. “You need to look at it both ways” using a “more-detailed level” for specific “sectors and vulnerabilities” and “at a higher level” to examine various “sectors in a way that recognizes some of the interdependency,” said Pillon.
EEI backs what it called a risk-management approach to infrastructure hardening. “Addressing all threats and vulnerabilities requires unlimited resources,” said the group representing about 70 percent of the U.S. electric power industry (http://1.usa.gov/16odKEV). “Risk management enables utilities to prioritize resources to address the most critical infrastructure threats and vulnerabilities and help justify any additional costs needed to implement effective hardening measures.” Industry standards aren’t sufficient for cybersecurity, and coordination with agencies is needed, said EEI. “Infrastructure protection requires a close working relationship between government and industry to identify the prevention, protection and mitigation measures needed to minimize infrastructure risk against rapidly evolving threats. Our efforts will be vastly improved with better information sharing capabilities and a clearer understanding of roles among various government agencies,” which Obama’s February actions seek to achieve, said the institute. An EEI official had no further comment for this story.
DHS should continue to encourage public-private coordination, said TIA (http://1.usa.gov/10Lrtqu). Such work has “been recognized as the basis for the cyber defense of critical infrastructure and cybersecurity policy for the last decade,” said the association. “The success of critical infrastructure owners and operators in preventing progressively complicated attacks has stemmed from the voluntary, public-private model in use.” TIA said “it will be critical” the National Institute of Standards and Technology and other agencies build on such existing partnerships as “the complexity and number of attacks grow.”