Yesterday I published a brief piece on President Biden’s “National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems”. A long time reader of my blog, Jake Brodsky, posted a comment to that post that should be read by anyone interested in the ongoing move of the Administration to improve cybersecurity in critical infrastructure. One point that Jake made is worth discussing here:
“I have a lot of respect for what CISA does. However, they cannot be the ones to enforce security on industries that they are not responsible for in any other capacity. That should come from the EPA in water, FERC in Energy, and so on. I would vastly prefer to see CISA become a research, integration, and intelligence distribution agency --much as they're doing now.”
Jake makes a good point, CISA is not really set up to be a regulator. With the exception of the Chemical Facility Anti-Terrorism Standards (CFATS) program that does fall under CISA, CISA does not have the personnel, or background to be a regulatory agency. Regulating cybersecurity takes more than just writing regulations or Security Directives. Without the people to go out into the field and check that the regulated entities are doing, or even can do, what is written in the CFR, writing regulations is an empty effort.
In process industries, cybersecurity of control systems should be intimately tied to process safety. I do not care how many security controls you have in place, someone, if they are determined enough, will find a way around those controls. What should be more important for operational cybersecurity is ensuring that there are process safety controls in place that will make cyber systems fail in a safe mode.
If we try to get too detailed in our ‘cybersecurity goals’ we will make them too expensive and too complex for them to be applied to all of the facilities where they are needed. Each facility is going to have to determine what tools are most appropriate for their operations to achieve the general cybersecurity goals. But we must keep in mind that cybersecurity must be tied back into the safety and business case of each individual facility. If we fail to do that, cybersecurity will continue to take a back seat to getting product out the front door.
For a more detailed look at the problems with CISA as a regulator, and my look at what the cybersecurity goals should look like, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/reader-comment-ics-cybersecurity - subscription required.
No comments:
Post a Comment