How does this cyber guide differ from other cyber reports and guides aimed at regulators? How is it unique?
I think that the elements that make this product unique are two.
First: the fact, that you report in your question, that they are intended, from their very beginning, for the regulators. Investments to protect critical infrastructures are in the hands of utilities and, more in general of companies. The large majority of documents in the filed literature deals with what should the companies (or more in general the operators) do. Regulators seem confined in the backstage of the scene. On the other hand, energy regulators have a unique role to play in the field of cybersecurity, to ensure that the whole interconnected system enjoys a fair level of protection. They have to ensure that investments made in the name of cybersecurity are reasonable, prudent, and effective, in particular when those investments are going to be reflected in consumer tariffs. These Guidelines do not represent a recipe (that would be outdated in a few months) on the best cybersecurity strategy for the power system; on the other hand they review instruments (concepts, approaches, procedures, sources) for the regulators taking good decisions when trying to encourage the power system resilience to cyber-attacks.
Second: they adopt a practical style, oriented to give functional and comprehensive answers to the regulator’s need of understanding how to intervene in the field of cybersecurity. Most available sources are represented by list of prescriptions and recommendations to manage a certain problem from a technical point of view. Even supposing that the decision on how to handle the cybersecurity stance of the power system is the responsibility or the regulator, this decision is just the beginning of the regulatory task. Then it will be necessary to take into consideration the general regulatory framework, the real operational context, the necessity to manage the interrelations between the various stakeholders. This is why in these guidelines the IT and cybersecurity aspects have been complemented considering also the approach from other disciplines.
Energy regulators have a unique role to play in the field of cybersecurity. While the implementation of cybersecurity measures is typically the responsibility of power system operators, regulators have an obligation to ensure that investments made in the name of cybersecurity are reasonable, prudent, and effective. These guidelines are intended to assist regulators in defining tariffs by establishing a regulatory approach to enhance the cybersecurity stance of their power systems, and are based on literature and current practices. They attempt to answer the following questions:
- Which regulatory frameworks are best suited to evaluate the prudency of cybersecurity expenditures?
- How can regulators identify and benchmark cybersecurity costs?
- How can regulators identify good countermeasures for cybersecurity?
- How can regulators assess the reasonableness of the costs associated with these countermeasures?
- Is it possible to evaluate the effectiveness of cybersecurity investments?
- Who should identify, benchmark, measure, and evaluate the countermeasures in different regulatory frameworks?
These guidelines are a first-of-their-kind resource, and demonstrate the leadership of USAID and NARUC in empowering energy regulators to support and encourage grid resilience by ensuring prudent and effective investments in cybersecurity by their regulated entities. The guidelines strive to provide space for concepts, processes, and methods rather than prescriptive lists or ready-to-use formulas.
Although intended for regulators, should industry also read the guide? Why?
The different instruments, pieces of information, and approaches addressed in these guidelines have different roles in the various regulatory frameworks and may be used by several different stakeholders in diverse ways. The implementation of cybersecurity strategy for the power system is the result of the interaction of the involved stakeholders; anyone has a task to accomplish! This is discussed in the second chapter of the guidelines “Preliminary Concepts for Correctly Using These Guidelines”.
So, I would suggest the companies reading the guidelines not only because some arguments could find application also inside the firm, but because understanding the rationale behind the regulatory action is a fundamental condition to establish trust and collaboration.
What aspect of cybersecurity is most overlooked or misunderstood by regulators?
I will answer starting from one aspect whose importance tends to be overestimated. Many regulators feel that clearly defining what companies should do will guarantee a higher protection to the system. Their request to researchers and to experts is: please tell us which is the gold standard for cybersecurity, and we will ask the companies to implement the related measures and investments. The problem with this compliance-based approach is that it may give a false sense of protection. Experts repeat that threats keep on evolving. Actually, the most dangerous threats appear to be the advanced persistent threats (APTs); there is no investment in assets able to defend against APTs, the defender will have to continuously improve his maturity and proactively evolve his defending strategies. So: do not invest in walls but spend in the training of your soldiers!
This leads me to the most overlooked point. Regulators tend to focus on cyber investments. Very often the regulation says that investment costs are recovered, while operational expenses remain in charge to the company. This makes sense in many situations but may prove dangerous in the field of cybersecurity. At present, the top priorities are the definition of a strategy and of working processes, and the skills of personnel. All of them turn mainly into current expenses. This remark has a general value but it is especially relevant in transitioning economies, where the most diffused shortcomings are represented by processes and personnel.
Experts underline that advanced persistent threats (APTs) are among the most dangerous threats because they are extremely difficult to detect and defend against, making them the attackers’ weapon of choice. In very simple terms, an APT is an attack in which an unauthorized user gains access to a system and remains within it for an extended period of time, without being detected and identified. By doing this, hackers can have continuous access to sensitive data stored by the an operator on its servers and may deploy long-term attack strategies. An APT approach implies substantial investments and efforts on the attackers’ part and, in fact, these the attackers are often organizations endowed with means and skills, managing a number of strategies and attacks. Effort and time are needed in order to acquire sufficient knowledge, to develop a method to launch such an attack, and to probe the target’s entry points so as to exploit system vulnerabilities.
Defenders (either internal security staff or defenders in a federated security operations center) need to continuously increase their level of maturity by using the most advanced tools and strategies. Proactive anticipatory maturity is necessary to gather and effectively operate cyber-physical system protection tools. It is recommended to perform regular audits in order to identify gaps in the solutions offered to effectively respond to APTs. It is also necessary to timely gather, prioritize and process data.
When analyzing a standard, it is difficult to distinguish the most important requirements from the ones that can be postponed. Cybersecurity standards enable organizations to deploy safe security techniques in order to minimize the number of successful cyber-attacks: a cybersecurity standard is a comprehensive and heuristic approach that ensures a given level of protection if the operator complies with all countermeasures required. Nevertheless, not all actions are the same, and some of them have an “enabling” role, i.e. they are necessary to make the other countermeasures effective.
The starting point, is the definition of cybersecurity objectives and of the plan to reach them. This means adopting a specific strategy and architecture and designing an organization for the implementation and management of the strategy.
The second priority has to do with personnel and working processes. “Securing” personnel is an essential point. First, all employees must be made fully aware of cyber risks and the importance of properly using physical assets. They must be skilled enough to avoid or to intervene to mitigate the effect of cyber threats, such as phishing and malware, and the improper use of physical assets, e.g. using USB keys or other devices to transfer data or connecting personal devices to the network. Skilled personnel is needed to take full advantage of the technology installed. Another issue concerns the selection, management, and supervision of people since employees might cause security breaches not only due to the incorrect use of physical or information systems but also deliberately. In practice, to address this second priority, an operator must invest in personnel selection, training, awareness and in processes for correct information management.
Priority should be given to critical assets, often referred to as crown jewels, on which the functioning of critical infrastructuresrelies. However, it is also important to protect the system itself, the network connecting the various devices (e.g., controls and smart meters), and not just single assets. These assets can be identified based on their function, through an analysis of the network topology and of its connections with the external world. This last step implies adequately protecting all the relevant infrastructures, avoiding investments when the cost of protection exceeds the potential benefits, which highlights the importance of the benefit analysis (see section 3.3) in cost prioritization.
A final remark on cost identification: everything described above has a cost. The security of physical assets has a cost, and so do training personnel on a continuous basis, hiring trained personnel, and developing and enforcing procedures to ensure that the personnel is trustworthy. Regulators must keep these points in mind and consider total expenditures; because if only CAPEX items are eligible for recovery, operators might be tempted to disregard the most important priorities, which actually concern operational and maintenance costs.
Other thoughts on the publication you’d like to share?
One of the main struggles in our work has been the attempt to be concrete and practical without being prescriptive. We believe that the design of a regulatory approach is not a technical task, although it should be rooted on many technical assessments. On the other hand, it is truly connected to a country’s values, vision, and legal environment. These guidelines are intended to help regulators think through the paradigm imposed by the cybersecurity challenge, to learn to constantly adapt to change, with the goal of making the power operators better prepared and able to react. The guidelines are not a fish, neither they are a fishing pole. We hope that they will represent a good reading to prepare a competent and aware fisherman. Finally, nothing but experience can turn a beginner into an experimented fisherman. Regulators must get started immediately and learn lessons along the way, because experience will answer more questions than a thousand-page book that would become outdated in a six-month time.
The Guidelines present five possible scenarios applying a consequential decision process. Their merit is to show how to apply the template practically, and that the choice depends on the initial situation and on the values at the basis of the regulatory activity. Although they represent only five possible outcomes out of hundreds of possible combinations, two issues appear to be outstanding:
- What mutual aid agreements are in place (if any)?
- Do I have the in-house enough skilled personnel in-house to address cybersecurity cost identification and benchmarking (for cost- plus)?
The design of a regulatory approach is not a technical task, but it is truly connected to the a country’s values, vision, and law legal environment. These guidelines are intended to help them think through this new paradigm and learn to constantly adapt to change, with the goal of making the power operators better prepared and able to react. The scenarios also show that different approaches may coexist in the same country, for example, a general regulation based on cost- plus and a pilot application of PBR for a very specific objective.
EU countries (and the individual States in the US) have adopted different regulatory strategies, some of them are still in an early phase of initial prospection on the problem. This shows that no gold standard has emerged at present. Likely it will never appear because the design of the regulatory approach is not a technical task, but it is truly connected to the country’s values, vision and law environment. It is useless to let time pass, waiting that a clear, complete and even tailored picture appears. Regulators must get started immediately and learn lessons along the way, because experience will answer more questions than a thousand-page book that would become outdated in a six-month time. These guidelines are intended to help them think through this new paradigm and learn to constantly adapt to change, with the goal of making the power operators better prepared and able to react.
Although there are several definitions of critical infrastructures, official sources agree that power systems are among them. Following the US Department of Homeland Security, “Critical infrastructure describes the physical and cyber systems and assets that are so vital to the United States that their incapacity or destruction would have a debilitating impact on our physical or economic security or public health or safety (https://www.dhs.gov/topic/critical-infrastructure-security). The related CISA site provides a list of 16 critical infrastructure sectors, including energy systems (https://www.cisa.gov/critical-infrastructure-sectors). In Europe the Council Directive 2008/114/EC (https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2008:345:0075:0082:EN:PDF), which applies only to the energy and transport sector, establishes a procedure for identifying and designating European Critical Infrastructures (ECI) and a common approach for assessing the need to improve their protection.
However, in that context the OFGEM (UK) example, addressed in Appendix 4, is outstanding because its process to establish a comprehensive regulatory approach for cybersecurity is at a very advanced state.