The U.S. government must do more to regulate cybersecurity practices, particularly in industries that own or operate critical infrastructure, said Brian Zimmet, a partner with law firm Venable LLP, which focuses on regulation and restructuring issues for electric utilities.
Zimmet believes owners and operators of such infrastructure, such as oil and gas pipelines, chemical refineries, transportation systems, financial institutions, hospitals, nuclear reactors, dams and agricultural infrastructure, will likely see more government oversight of their cybersecurity practices in the coming years. And there’s an obvious place to look for clues to what those changes may look like.
The electric industry is the one to watch for a look at the future, Zimmet said. Changes already in place in the electric industry show us what regulations that are in the works will look like, as well as how increasing government oversight will affect enterprises security practices, he said.
Zimmet and his colleague Jason Wool recently co-authored an article in MarketWatch that highlighted the types of requirements the electric industry has faced. These changes, the authors contend, are likely to be carried over to a new, more broadly applicable regulatory regime.
“There likely will be specific requirements governing the identification of critical cyber infrastructure,” Zimmet said, likely through a risk-based assessment. The requirements will cover areas such as setting up and maintaining both electronic and physical defensive perimeters around infrastructure; tracking who has access — both physical and logical– to the infrastructure, and keeping tabs on who is actually accessing the infrastructure, he said.
Regulations will also look at how the infrastructure is configured to ensure open ports and services are limited only to those needed for actual operations, patch management practices, antivirus practices, testing practices and disaster recovery practices, Zimmet said.
Electric industry regulations have been in transition because the standards currently applicable to the electric industry “are quite general and vague, and it’s often unclear exactly what a company has to do to comply with many of those standards,” Zimmet said. “For example, one of the requirements in the standards is for a company to have ‘strong procedural and technical controls’ at access points into an electronic security perimeter. What are strong procedural and technical controls?”
The phrase is not defined in the standards, and opinion on what it means can vary among cybersecurity experts, Zimmet said. “There is substantial discretion on the part of the regulators to come in and disapprove of a company’s practices, based on the vague language of the standards,” he said. “That phenomenon has presented significant challenges for the industry.”
At the same time, Zimmet noted, “We have found that IT personnel in most companies generally are not used to the type of command-and-control regulation that the current standards impose, and therefore have been unprepared for the type of oversight that they have experienced. For better or worse, being regulated means, in large measure, clearly documenting all your practices, and being able to prove to a regulator that you comply with the applicable requirements. This also has been a challenge for the industry.”