NARUC further notes that cybersecurity efforts have typically focused on business process systems, basically IT networks and systems, but these are very different in nature from utility SCADA control systems. For example, SCADA systems “have much longer deployment lifetimes with much rarer software updates and much scarcer physical security measures.”
But NARUC also notes that owners and operators of these systems have “not been sitting idly by....” For example, the North American Electric Reliability Corporation (NERC), which spearheads industry standard-setting efforts, has already issued some cybersecurity standards, which are still evolving, and NARUC itself issued a cybersecurity primer as a guide for utilities last year.
As for what basic concepts NARUC would like NIST to keep in mind as it shapes the framework, these include defense-in-depth principles and the importance of resilience as well as the importance of the human factor. In terms of ensuring compliance, NARUC notes that regulators don’t have to become IT experts, but they do have to know enough to be able to ask “smart cybersecurity questions of utilities.”
NIST will have held two workshops by June. The first simply set the stage; the second was planned for late May (after press time) and was to be focused on examining all of the submitted industry comments, with the goal of beginning to cull ideas for the framework; there will be several more workshops before a first draft is issued for comment in October.
As critical infrastructure operators wait for the framework to take shape, they should not take the view that the threat is too complex to address. As White House Cybersecurity Coordinator Michael Daniel noted in the first NIST workshop in April, 90 percent of the data breaches that do occur turn out to be caused by known vulnerabilities that could have been avoided with simple security measures. Michael Arceneaux, managing director of the Water ISAC, seconded that, noting, “Basic hygiene would take care of a lot of the cybersecurity gaps in the water sector.