Of Cybersecurity Frameworks, Requirements, and Compliance

What do editors and energy industry cybersecurity experts have in common? They both recognize the importance of language. Specifically, presenters and participants in workshops at the EnergySec Summit in Denver this week provided guidance and asked questions about terms, definitions, and interpretations of everything from generic concepts (“What is a framework?”) to specific words used in NERC CIP 5 (“What is an ‘originating device’? “ and should “interconnection have been “Interconnection”?).

Confusion about what terms mean was one reason that North American Electric Reliability Council Critical Infrastructure Protection (NERC CIP) version 5 came to be. The latest version, according to EnergySec President Steven Parker, is much better. However, even the clarifications lead to complications, because if your company interpreted a term one way in the past, the definitional clarification may require you to now modify your security practices.

If you can say one thing for sure about these discussions, it is that you should know what your risks are, know what you are doing to protect your facilities, and why. As the Supreme Court case involving Ma­zda seat belts underscored (an example recounted by Josh Axelrod of Ernst & Young), compliance with a regulation may not be sufficient liability protection

Additionally, as Parker noted toward the end of his workshop on NERC CIP standard changes, “Compliance isn’t necessarily security.”

As a closing comment, I offer this snippet of conversation overheard at an elevator bank on Tuesday. As I was in the elevator and the speaker and his auditor were not visible, I don’t know if they were EnergySec Summit attendees, so I don’t know if they were discussing breaches of electricity systems, but the comment is apropos: “…It’s gonna happen—just pretend like you’re surprised…”

—Gail Reitenbach, PhD, Editor, POWER (@POWERmagazine, @GailReit)