We know the issue of cybersecurity can’t be ignored; the increasing amount of legislation being enforced globally is making sure of that. Boardrooms are beginning to recognise the vital role that cybersecurity is playing to ensure smooth and continued business operations, thereby averting the financial and reputational damage caused by an attack. Furthermore, increased public awareness of vulnerabilities and attacks has raised customers’ expectations regarding the cybersecurity ethos of companies they work with, and whether or not they follow best-practice principles.
It comes as no surprise that 2018 has been a year of change in our regulatory landscapes. While the finer details of new regulations have been ironed out over recent years, the scale of the cybersecurity problem hit the mainstream news in 2017. In those 12-months, not only did the UK’s National Cyber Security Centre (NCSC) warn that future attacks would cripple critical infrastructures, but the US-CERT also warned that critical national infrastructure firms are now at an increased risk of cyberattack.
Why we need increased regulations
Since then, in the EU the Network and Information Systems Regulations 2018 (NIS) has begun making its way into local law.Also, in the US, the NERC Critical Information Protection (CIP) standards have been implemented, which can be used to impose fines of up to a million dollars a day for security breaches in the power industry. These are among the best-established cybersecurity rules in the world.
For many, increased regulations may feel like a burden; a box-ticking exercise that must be completed to avoid costly fines, rather than a key business process that enables continued operations with less security risk. But this viewpoint is flawed; their influence should be viewed as wholly positive. Regulations establish norms and standards, a baseline for good practice which individual companies can use to set their own benchmarks.
That is why, especially when it comes to critical infrastructure, there are many international bodies that have developed regulatory frameworks and standards for Operational Technology (OT) cybersecurity. While they all have slight variations, the overall purpose is the same: to promote best practice security standards and ensure that they are followed with a punitive enforcement regime for those who fail to meet them.
What this means is that for providers in sectors such as power, water, chemicals, oil and gas, regulatory compliance with cybersecurity standards is no longer a choice. If you’re not preparing already, you will fall foul of enforcement when it commences.
Does regulatory compliance mean cybersecurity?
Of course, every business wants to minimise production downtime or reputational damage stemming from a cybersecurity incident, especially when it could be followed by a large fine imposed by a regulator. That is why decision makers are beginning to refocus their efforts on improving OT security.
Practically, there is an increased understanding regarding the importance of “security by design” and what it means, and the technical tools for risk assessment and mitigation are widely available and understood. The expertise to independently identify and address threats exists in the marketplace, even if it can be a challenge to provide through internal resources.
More fundamental, however, is the need for wider culture change within organisations. It’s not enough that OT security practices are seen as a concern for internal and external specialists only, and don’t impact workflows and routines outside of professional silos. Cybersecurity awareness is the responsibility of all employees, and better ways of communicating the risks and challenges have to be developed.
The good news for decision makers is that by building relationships with security experts and engraining an internal culture of cybersecurity, the question of compliance itself will become an almost moot one. It’s an area in which it pays to be ahead of the regulator, because if you’re aiming to be truly secure, then you’ll already be meeting many of the key requirements of any local laws.
To learn how Applied Risk can help you identify vulnerabilities and risks in physical, IT and OT systems, visit: https://applied-risk.com/solutions/services/risk-and-vulnerability-assessment-rva