The Sprawling Labyrinth of Critical Infrastructure Cybersecurity

The five-alarm warnings that the Obama Administration issued last fall regarding an impending cybersecurity Pearl Harbor, along with the threat of a cybersecurity executive order, seem to have receded into the background as the President continues to grapple with fiscal woes and a politically arduous gun control initiative.  When last we heard anything from reliable sources, that executive order was being readied for release in January (some press reports confirm this), although that seems highly unlikely given the political lay of the land and the hubbub over the inauguration.

But once the order does come out (or if Congress takes another crack at passing cybersecurity legislation), the gargantuan challenge of figuring out the existing cybersecurity landscape will become clear.  I’ve been working on my firm’s first public product (coming soon), a cybersecurity databook that promises to hit the highpoints on the complex issue. 

My first task in mapping out the book was to simply describe the cybersecurity environment today, highlighting the roles of the major players and how the ground rules get established.  That was no easy task. 

When it comes to cybersecurity for the energy industry, for example, nearly one hundred government-related entities, standard-setting bodies, private coalitions, and trade associations, all have a hand in establishing or influencing the intricate rules, policies and procedures for how cybersecurity requirements and practices are formed, implemented, regulated and shared – and that’s just on the domestic level.   A massive set of groups and government organizations are busy establishing cybersecurity practices and policies on the international level.

I’ve pasted at the end of the article my list of government, standards-setting and information-sharing groups that are profiled in the report.  (If there are any noteworthy omissions in this list, email me.)

At least 36 different government arms, be they affiliated with the White House, Pentagon, independent regulatory agencies, full-fledged Departments, sponsored labs, working groups, or advisory panels, toil away on energy-related cybersecurity matters.  Some, of course, are more active on a day-to-day basis than others and some, particularly those whose primary jurisdiction is telecommunications, only tangentially but crucially overlap with energy.  Some, particularly military groups, may step in only periodically but when they do, their roles carry a tremendous amount of weight.  Some carry the force of law to get things done, while others are merely conduits for basic research, advice and study.

At least 18 different standards-setting body develop or codify the technical specifications for the engineering methods and techniques for how cybersecurity is implemented in practice.  Again, some are more important than others, with many primarily responsible for telecommunications standards – when it comes to energy, most of the networks that need cybersecurity protection the most are in fact nothing more than telecommunications or IP-based networks.

Finally, at least eight information-sharing or multi-organization groups play important roles in the energy cybersecurity arena. 

With all these groups, comprising hundreds of bureaucrats, military personnel, engineers, technologists and other specialists, trying to tackle the rarefied topic of cybersecurity, it’s hard to see how any single plan or program can come to grips with the issues.  Throw in nearly 10,000 energy creators, transmitters and distributors and it’s clear that energy cybersecurity is nothing short of an endless labyrinth

Government Entities Involved in Energy Cybersecurity National Security Council Department of Commerce     DoC - National Institute of Standards and Technology (NIST)     DoC (NIsT) National Cybersecurity Center of Excellence (NCCoE)     DoC National Telecommunications and Information Administration (NTIA) Department of Defense      DoD Cyber CrimeCenter (DC3)     DoD US Cyber Command  Department of Energy - Office of Electricity Delivery and Energy Reliability     DOE Argonne National Laboratory     DOE Idaho National Laboratory     DOE Lawrence Berkeley National Laboratory     DOE Lawrence Livermore National Laboratory     DOE Los Alamos National Laboratory     DOE New Brunswick Laboratory     DOE Oak Ridge Institution for Science and Education     DOE Pacific Northwest National Laboratory     DOE Sandia National Laboratories Department of Homeland Security     DHS - Cross Sector Cyber Security WG     DHS - Homeland Security Information Network (HSIN)(Private)     DHS - Industrial Control System Joint Working Group (ICSJWG)     DHS - US-Computer Emergency Readiness Team (US-CERT)     DHS - Industrial Control Cyber Emergency Response Center (IS-CERT)     DHS - National Communications System     DHS - National Cybersecurity and Communications Integration Center (NCCIC)     DHS - Sector Coordinating Councils: Electricity and Communications Department of Justice     FBI InfraGard  Department of State FCC Cybersecurity and Communications Reliability Division (CCR)     FCC The Communications Security, Reliability And Interoperability Council (CSRIC) FERC Nuclear Regulatory Commission United States Trade Representative NARUC Committee on Critical Infrastructure Standards Setting Organizations Involved in Energy Cybersecurity Alliance for Telecommunications Industry Solutions (ATIS) American National Standards Institute Institute of Electrical and Electronic Engineers (IEEE) International Electrotechnical Commission (IEC) International Organization for Standardization International Telecommunications Union (ITU) National Electric Reliability Corporation(NERC) North American Energy Standards Board (NAESB) UCA Iug Open SG-Security  UCA IugAMI-SEC OpenSG Information Sharing and Other Multi-Organization Groups Involved in Energy Cybersecurity Advanced Security Acceleration Project for the Smart Grid (ASAP-SG) Electric Power Research Institute (EPRI) Energysec International Society of Automation (ISA) ISA Information Sharing and Analysis Centers: Power  Internet Engineering Task Force (IETF) National Cybersecurity Council Administration National Electric Cyber Security Organization (NESCO) North America Transmission Forum

Image Source:  Wikimedia Commons.

Posted in: Critical Infrastructure,Cyber Security,Cybersecurity Executive Order,Energy