Although specific cyber security requirements already exist for certain critical infrastructure providers, changes—and possible penalties for non-compliance–are emerging for energy operators on both sides of the Atlantic.
Key to this are significant efforts to establish new rules governing cybersecurity and critical infrastructure. In the U.S., this came in the form of presidential executive order published in February entitled “Improving Critical Infrastructure Cybersecurity.” In the same month, the European Commission released its “Cybersecurity strategy of the European Union,” and the “Directive on Network and Information Security.”
There are differences between the US and EU approach. In particular, the US appears to be adopting a more voluntary approach regarding cyber security. This is achieved through the expansion of the information sharing program, as well as the expectation for the National Institute of Standards and Technology (NIST) to work “collaboratively with critical infrastructure stakeholders to develop the framework relying on existing international standards, practices, and procedures that have proven to be effective” in a truly voluntary public-private partnership. In Europe, however, policy makers are proposing specific mandatory actions, such as a provision of security breach notification in addition similar notification which exists within current rules.
While there has been significant focus on the deviation between the two approaches, it is worth considering that in the U.S, there are existing cyber security requirements with associated penalties for energy operators. Conversely, in many European countries there are well established voluntary programmes for information sharing within the energy sector.
It is also worth considering that while emerging requirements focus on cyber security, existing efforts have also included privacy as it relates to the smart grid. In particular, the development of tools that support the due diligence required to demonstrate privacy is built into the design of systems, and that any risks are appropriately managed. Moreover, operators should consider that these approaches are only the initial steps to govern cybersecurity for critical infrastructure operators.
Indeed, in the U.S the House of Representatives recently passed a number of cyber security bills during its annual “cyber security week”. The bills addressed such topics as improving federal cyber security research and development, enhancing the way in which government agencies protect their own IT infrastructures, and giving the companies liability protections to incent them to share threat data with the Federal government. The US Senate is also expected to take up cyber security legislation, and it is likely that it will address information sharing, and possibly the matter of critical infrastructure protection.
In Europe, initial cyber security proposals are being made for the development of an Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).
That cybersecurity (and privacy) are under the spotlight should be welcomed, as nefarious actors have been focusing on the energy sector and broader critical infrastructure for some time now. I do welcome government action on cyber security – it’s needed and it’s appropriate. But I would urge policy makers to remember that our greatest successes have come when the public and private sectors work together to thwart our cyber security adversaries.
Collaboration, based on a genuine partnership, will enable both government agencies and companies to continue to leverage new innovations in technologies to thwart the growing array of cyber threats. I believe that the power of innovation, given how rapidly the threat landscape changes, is our best bet for making real progress in the coming decades.