Why Checklists Win
Talk to most security professionals, OT and IT, and they’ll tell you that applying a checklist approach to security controls across an industry sector makes no sense. Compliance to a standard or regulation does not equal security. Each company should take a risk based approach and implement security where needed to reduce risk to an acceptable level.
So why are most OT cybersecurity regulations a list of required cybersecurity controls? Checklists? Because both regulators and the regulated companies prefer checklists.
Regulators like the checklist approach; a list of specific requirements that are representative of consensus good practice. You, regulated entity, must have all of these security controls in place. Why do regulators like this?
- They’re easy to write. Find some guidance documents and pull out the recommended security controls. Err on the side of including too many. You, the regulator, will get in more trouble leaving something off than including too many. And if you missed some, you can always add to the requirements in subsequent versions. It’s almost expected for the regulation, the checklist, to grow.
- They are easier to audit because judgment is minimized. This control is required. Can you prove or attest to the auditor that it is in place? Check.
What’s less obvious is why the regulated companies, the asset owners in the OT world, prefer checklist regulation over risk based regulation.
First, let’s take a step backwards. Many OT security professionals do not prefer the checklist approach. We go on about how this whole swath of security requirements makes no sense in our environment. They do nothing to reduce risk and are costly in time and money.
Security professionals and, to an even lesser extent, OT security professionals don’t matter a lot when it comes to regulation. The people who matter are the executives and their minions who talk with the regulators about a win-win regulatory framework.
They prefer the checklist approach. Why?
The executives have to manage all sorts of risk including regulatory risk. The best way to reduce regulatory risk is to not be regulated. This is the first choice. If no regulation isn’t an option, then as little regulation as possible.
This is not saying executives don’t care about OT cyber related risk. If they are convinced of an unacceptable risk they will fund and demand action. If you’re not getting action, it means you haven’t made a compelling case to executives whose job it is to manage and accept risk.
A regulation introduces a new risk. Regulatory risk that can result in fines and worse. Executives must deal with this regulatory risk, and they want the simplest and least costly way to manage this risk. A list of specific security controls can be met with much more certainty than a risk based regulation.
Additionally, imagine the case where a regulated asset owner is compromised with a major impact on customers, citizens or stockholders. If you have a risk based approach for regulation, the regulated asset owner’s approach was lacking. An unacceptable consequence event happened when they said a list of controls they determined to be appropriate did not stop the incident.
If there was a checklist, the regulated asset owner can say we followed good practice as specified in this regulation.
There is some overlap in what is done to meet OT security regulatory risk and OT security cyber risk. This is a positive. Unfortunately what we saw with NERC CIP and other regulations, is meeting the OT security regulatory risk soaks up all the resources. The best OT security cyber risk management actions can be discarded or delayed if they are not a regulatory requirement.
If you know of any risk based OT security regulation please put it in the comments. Don’t include things that have different checklists for different size or criticality systems, like NERC CIP. This multiple checklist approach is better, but not really risk based.