Last week I was in Singapore at the CSA OTCEP event. You notice the differences between Singapore and the US as soon as you step into the airport and go through customs.
There at least three major differences that apply to a government succeeding in managing a nation’s OT cyber risk:
- The Singapore government is more streamlined and has more authority. It has a much easier time developing, requiring and enforcing OT cyber risk regulations. Advantage: Singapore
- Singapore is a much smaller country with a limited, much less than the US, number of critical infrastructure companies in each sector. Regulators can sit in a conference room with all of the sector participants in most cases. Advantage: Singapore
- Singapore is an island with limited natural resources. The size and resource rich US geography offers many resiliency and recovery opportunities and can support self reliance. Advantage: US
Note: the advantage describes the ease in which a government and industry can manage OT cyber risk in a sector. It is not a judgment on the overall system of government.
If you are responsible for managing OT cyber risk for a nation, you much prefer the Singapore model. They can decide and move forward, and the smaller size means you can know and work with all of the players.
Even with these advantages, it is far from easy. There is a tension between the ease of specification, compliance and audit of a regulation, and the regulations true value in managing OT cyber risk. The job of the regulated and regulator are much easier if regulation is a list of mandatory security controls. These reduce compliance risk, but many of the mandatory security controls will contribute little to likelihood reduction. And they are not touching the consequence side of the risk equation.
There is also the challenge for the regulator in leaving a “good practice” off of the mandatory security controls. Even if it does little to reduce risk, they will likely be called out by many security experts for its absence. These lists tend to grow over time with security controls added, but never deleted. It would be an interesting experiment to put a cap on the number of mandatory security controls and require a control be removed before another can be added.
The better approach is to have a risk-based regulatory approach. The regulated companies need to show that they are appropriately managing cyber risk that would affect the nation. (To paraphrase Rob Lee, companies can do what they want with business risk, but they should not be the decision makers on community risk).
While most agree a risk-based approach is preferred, it’s hard to specify and enforce. There is uncertainty in both the regulated and regulator. It can lead to greater variance in the judgment of the regulator. If you’ve seen a success story in this, please message me. In the meantime, we should watch and learn from these efforts going on around the world.
I believe we will not have a unified solution that will work across the diverse systems which include external forces such as government regulation, cultural factors, and expectations. But can the approach to arriving at the solution, a methodology, be consistent across this diversity?