As we continue this conversation about cybersecurity regulation we need to keep focus on true risk reduction and security and not focus as much on simple compliance.”
A big challenge is that a misconception exists that OT systems work the same way as IT systems, and therefore existing IT regulations can also be applied to these environments. That’s not true at all, as critical infrastructure operators need to deal with a number of factors like critical downtime and the complexity of legacy systems, which can both complicate security measures that are standard for IT like patch management processes.
Here, working with critical infrastructure asset owners, operators and other stakeholders with knowledge of the domain is key to better understanding how to keep these systems safe and what actually helps. When the Transportation Security Administration (TSA) publicized an updated Security Directive in July 2021, for instance, it was met with criticism by pipeline operators, who said that the directive pushed security practices for IT systems rather than OT systems. After working with the impacted oil and natural gas pipeline owners to get their feedback, the TSA last year released a new directive that gave more flexibility in how the measures could be applied and that relied on performance-based indicators rather than prescription-based.
“For a long time we assumed systems were architected similarly if not the same,” said Robert Morgus, senior advisor of risk and resilience at Berkshire Hathaway Energy. “However, in most operational environments at this point, you have legacy systems, you have new systems, everyone’s architecting and building differently… when you have such diverse environments, the owners and operators understand those environments better than anyone else, they understand what needs to go in to protect those environments better than anyone else and if a regulator is not engaged with those owners and operators, you can have some pretty bad outcomes.”
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has aimed to bring parties together and better understand critical infrastructure priorities, nomenclature and challenges by creating the Joint Cyber Defense Collaborative (JCDC), an agency effort to develop cyber defense plans with both public and private sector entities.
