For information sharing to be a truly functional component of any cybersecurity program, states ICS-ISAC, the “infrastructure itself must become significantly more autonomous and connected, increasing its ability to detect and respond to threats at a speed and with a reliability that will rapidly become beyond human operators’ capability.”
The National Grid also addresses the need for more automated information sharing. And while commentators generally want the framework to avoid being too prescriptive, when it comes to information sharing, the National Grid says that “explicit standards are required.... If done properly, these standards will enable industry participants as well as system vendors to create compliant solutions for information sharing.” For example, the National Guard writes, “Firewalls, IDS/IPS systems, log collectors, applications, and operating systems could have reporting modules that would send encrypted anonymous log data to a centralized clearinghouse for data mining and evaluation.” But it notes in its NIST comments that “the framework must take special precautions to protect the anonymity of participants and their customers.”
As to the challenge of creating a framework that can be applied across sectors, the National Grid has an interesting proposal that might be called a Lego system. It suggests “the development of a list of snap-in or a la carte standards [relevant to specific technologies, such as supervisory control and data acquisition (SCADA) systems].... Industry participants can choose to integrate each standard into their framework....” And vendors could get certified showing that they meet the standard, so then an entity with a SCADA system could simply make sure that it used a certified vendor.
ICS-ISAC would like to see this level of automation go one step further so that not only do systems self-diagnose and self-report, they self-heal, mimicking the human immune-system.
The framework must also take care not to be too myopic in its view of what constitutes a cyber risk, writes the National Association of Regulatory Utility Commissioners (NARUC). “Cybersecurity must encompass not only utility-owned systems, but some aspects of customer and third party components that interact with the grid, such as advanced meters and devices behind the meter,” it notes. Moreover, the framework should recognize that it’s not only about avoiding malicious attacks. “Cybersecurity must protect against inadvertent sources—user errors (including accidents), hardware failure, software bugs, operator error or plain negligence—as well as intentional attacks,” it writes, adding that natural disasters have to be factored in as well, because “a flooded server room cannot provide service any better than one flooded with data traffic from a denial of service attack.”