An interesting discussion this weekend over on LinkedIn about my post on FERCs INSM notice of proposed rulemaking. Lots of good information in that discussion. One point worth mentioning here; Richard Brooks provided a link to an article in which he is quoted as saying:
“The NOPR will “not provide cybersecurity improvements because many entities already implement these cybersecurity best practices, such as anti-malware, but the FERC Order will increase the workload on entities subject to NERC compliance, because they will also have to meet all of the NERC compliance requirements, usually in the form of paperwork, in addition to managing cybersecurity,” Brooks added.”
This is a standard argument against almost any regulatory mandate, and it has a certain level of validity, particularly for the ‘many entities [that] already implement these cybersecurity best practices’. For those organizations, the order resulting from this rulemaking effort will certainly result in some level of increase in compliance paperwork and that increased workload will not result in any better cybersecurity for those organizations. And depending on how the rule is worded and implemented, it may impede future innovation in this security niche. But the latter is supposed to be addressed by the cooperative rulemaking process under NERC.
Unfortunately, ‘many entities’ is not ‘all entities’ and in
an interconnected system like the bulk electrical system, the country cannot
afford to have too many weak links in that system. Being able to get the BES to
a level where most of the high and medium impact systems are effectively using internal
network security monitoring systems is only going to be achieved by going this regulatory
route.
Posts
No comments:
Post a Comment