The Sprawling Labyrinth of Critical Infrastructure Cybersecurity

The five-alarm warnings that the Obama Administration issued last fall regarding an impending cybersecurity Pearl Harbor, along with the threat of a cybersecurity executive order, seem to have receded into the background as the President continues to grapple with fiscal woes and a politically arduous gun control initiative.  When last we heard anything from reliable sources, that executive order was being readied for release in January (some press reports confirm this), although that seems highly unlikely given the political lay of the land and the hubbub over the inauguration.

But once the order does come out (or if Congress takes another crack at passing cybersecurity legislation), the gargantuan challenge of figuring out the existing cybersecurity landscape will become clear.  I’ve been working on my firm’s first public product (coming soon), a cybersecurity databook that promises to hit the highpoints on the complex issue. 

My first task in mapping out the book was to simply describe the cybersecurity environment today, highlighting the roles of the major players and how the ground rules get established.  That was no easy task. 

When it comes to cybersecurity for the energy industry, for example, nearly one hundred government-related entities, standard-setting bodies, private coalitions, and trade associations, all have a hand in establishing or influencing the intricate rules, policies and procedures for how cybersecurity requirements and practices are formed, implemented, regulated and shared – and that’s just on the domestic level.   A massive set of groups and government organizations are busy establishing cybersecurity practices and policies on the international level.

I’ve pasted at the end of the article my list of government, standards-setting and information-sharing groups that are profiled in the report.  (If there are any noteworthy omissions in this list, email me.)

At least 36 different government arms, be they affiliated with the White House, Pentagon, independent regulatory agencies, full-fledged Departments, sponsored labs, working groups, or advisory panels, toil away on energy-related cybersecurity matters.  Some, of course, are more active on a day-to-day basis than others and some, particularly those whose primary jurisdiction is telecommunications, only tangentially but crucially overlap with energy.  Some, particularly military groups, may step in only periodically but when they do, their roles carry a tremendous amount of weight.  Some carry the force of law to get things done, while others are merely conduits for basic research, advice and study.

At least 18 different standards-setting body develop or codify the technical specifications for the engineering methods and techniques for how cybersecurity is implemented in practice.  Again, some are more important than others, with many primarily responsible for telecommunications standards – when it comes to energy, most of the networks that need cybersecurity protection the most are in fact nothing more than telecommunications or IP-based networks.

Finally, at least eight information-sharing or multi-organization groups play important roles in the energy cybersecurity arena. 

With all these groups, comprising hundreds of bureaucrats, military personnel, engineers, technologists and other specialists, trying to tackle the rarefied topic of cybersecurity, it’s hard to see how any single plan or program can come to grips with the issues.  Throw in nearly 10,000 energy creators, transmitters and distributors and it’s clear that energy cybersecurity is nothing short of an endless labyrinth

Government Entities Involved in Energy Cybersecurity
National Security Council
Department of Commerce
    DoC - National Institute of Standards and Technology (NIST)
    DoC (NIsT) National Cybersecurity Center of Excellence (NCCoE)
    DoC National Telecommunications and Information Administration (NTIA)
Department of Defense 
    DoD Cyber CrimeCenter (DC3)
    DoD US Cyber Command 
Department of Energy - Office of Electricity Delivery and Energy Reliability
    DOE Argonne National Laboratory
    DOE Idaho National Laboratory
    DOE Lawrence Berkeley National Laboratory
    DOE Lawrence Livermore National Laboratory
    DOE Los Alamos National Laboratory
    DOE New Brunswick Laboratory
    DOE Oak Ridge Institution for Science and Education
    DOE Pacific Northwest National Laboratory
    DOE Sandia National Laboratories
Department of Homeland Security
    DHS - Cross Sector Cyber Security WG
    DHS - Homeland Security Information Network (HSIN)(Private)
    DHS - Industrial Control System Joint Working Group (ICSJWG)
    DHS - US-Computer Emergency Readiness Team (US-CERT)
    DHS - Industrial Control Cyber Emergency Response Center (IS-CERT)
    DHS - National Communications System
    DHS - National Cybersecurity and Communications Integration Center (NCCIC)
    DHS - Sector Coordinating Councils: Electricity and Communications
Department of Justice
    FBI InfraGard 
Department of State
FCC Cybersecurity and Communications Reliability Division (CCR)
    FCC The Communications Security, Reliability And Interoperability Council (CSRIC)
FERC
Nuclear Regulatory Commission
United States Trade Representative
NARUC Committee on Critical Infrastructure
Standards Setting Organizations Involved in Energy Cybersecurity
Alliance for Telecommunications Industry Solutions (ATIS)
American National Standards Institute
Institute of Electrical and Electronic Engineers (IEEE)
International Electrotechnical Commission (IEC)
International Organization for Standardization
International Telecommunications Union (ITU)
National Electric Reliability Corporation(NERC)
North American Energy Standards Board (NAESB)
UCA Iug Open SG-Security 
UCA IugAMI-SEC OpenSG
Information Sharing and Other Multi-Organization Groups Involved in Energy Cybersecurity
Advanced Security Acceleration Project for the Smart Grid (ASAP-SG)
Electric Power Research Institute (EPRI)
Energysec
International Society of Automation (ISA) ISA Information Sharing and Analysis Centers: Power 
Internet Engineering Task Force (IETF)
National Cybersecurity Council Administration
National Electric Cyber Security Organization (NESCO)
North America Transmission Forum 

Image Source:  Wikimedia Commons.

Twitter Delicious Facebook Digg Stumbleupon Favorites More