Only 3 percent of information technology executives who work at American power facilities and other U.S. critical infrastructure sites believe that compliance actually reduces the threats against their operations, a report finds.
Issued by the Ponemon Institute, an independent organization that conducts research on information security policy, privacy, and data protection, the report reveals that federal compliance measures fail to adequately protect those companies.
One of the most prominent sets of compliance standards active in the field today is that developed by the North American Electric Reliability Corporation (NERC). The NERC standards are mandatory in the United States and include CIP requirements 001 through 009, which specifically relate to critical infrastructure. These nine standards mandate that all critical facilities maintain an efficient, holistic security culture. This includes training employees in security awareness, setting up protocols for reporting security incidents, and building effective recovery plans.
The NERC standards themselves are not ineffective. Rather, the report finds that about 40 percent of executives are more concerned with fielding immediate concerns, such as downtime, than ensuring compliance to federal standards.
This comes as a surprise given the cyber threat landscape today. In a recent survey of some 600 executives in power and critical facilities, 70 percent reported having been the victim of a breach in the last year, and 78 percent said that a serious cyber security incident was likely in the next two years. However, it was reported that only 28 percent rank cyber security among their top five business priorities, while an even lower number, a mere 6 percent, provide training to all of their employees.
What accounts for this gap in concern?
There are a number of explanations. First, as related by Chad Stowe, a leader in cyber security with Hein & Associates, many small- to mid-sized companies, especially those not engaged in finance or information security, do not feel the need to create even basic cyber security incident mechanisms or training programs because they are not convinced they are at risk. Some executives at power and other critical infrastructure sites may share this sense of denial about cyber security, or they may not appreciate the true extent of the threat.
Second, it has been shown in recent years that cyber attacks are growing in complexity. IT security professionals have a difficult time locating malware in today’s systems and networks. Even so, given that half of 3 million passwords surveyed by the 2013 Trustwave Global Security Report met only the bare minimum security requirements, the “human factor” might be an integral part of that development. Human users may therefore be undermining their own efforts when it comes to compliance.
Third, to ensure compliance, some industries feel they need stronger communication measures binding them together. This viewpoint undoubtedly influenced the Senate Select Committee on Intelligence to approve the Cyber Information Sharing Act (CISA) last week. Though it could strengthen communication channels among critical infrastructure sites and with Washington, whether the bill moves to the floor for debate remains to be seen.
Clearly compliance is not enough. As we have observed in the discussion above, power facilities and critical infrastructure entities require robust security cultures, including passionate managers, aware employees, and diverse communication mechanisms, to ensure compliance with information security standards, such as those developed by NERC. In this way, to be effective, it is helpful if certain elements of the security environment precede creating the bigger security picture.