Is CIP improving the security posture of electric sector control systems? I think we have a large enough sample size and time to answer that question now. Like most things in life, it is not a simple yes or no. It is affected by an organizations previous efforts on control system security, intention and time. Here are some conclusions:
- For owner/operators who have paid little or no intention to cyber security, NERC CIP results initially in significant improvements in the security posture. Effective security perimeters are erected, security patching begins, anti-virus is installed, user management starts, and a variety of other basic technical and administrative security controls are initiated. Think about the huge risk reduction from all sorts of cyber events in just establishing a security perimeter, anti-virus and security patching.
- For owner/operators who have had an active and even moderately effective cyber security program prior to CIP, the CIP has stalled efforts to improve the security posture. The focus is shifted from addressing security risk to reducing regulatory risk. Regulatory risk is a term we use to cover the risk of being non-compliant with CIP and receiving fines or other negative consequences. These proactive owner/operators are spending time with all the paperwork and processes that CIP requires. Some of these will reduce security risk, but most of it will not and the correlation with what would be done with equivalent resources to reduce security risk is low. The most disappointing impact of CIP is on these forward thinking owner/operators who have had progress derailed by so much effort on addressing the regulatory risk.
- Owner/operators who never wanted to address cyber security risk get the initial positive impact from CIP, but then this quickly turns to primarily addressing regulatory risk. This is where you see decisions being made to use the language to avoid being covered by CIP. Stated simply, it is an effort to spend minimal effort to reduce regulatory risk with little concern about security risk.
I will try to convert this into a graph and curve next week.
Now look forward to the direction that CIP is going towards as well as future regulation of other sectors. It is moving to more specifics, more documentation, allowing less judgement. I would say the most disappointing part of our work is when I have to tell an owner/operator they have to deploy some control that makes no sense from a security risk management standpoint, because the level of effort vs. risk reduction is terrible, but they have to do it to meet the CIP standard.
So what is the solution to prevent CIP and other standards from dramatically increasing the level of effort to meet regulatory risk without substantial reduction in the security risk – – while still motivating laggards who would avoid security to do something? This is a hard question that one really has to answer before saying the CIP approach should be scrapped.