Presidential attention raises the priority level for cybersecurity.
Since the concept of cybersecurity standards first emerged, sometime around Y2K, the industry and its regulators have engaged in a fascinating tug-of-war. The industry wants standards that are clear but also flexible. Regulators want compliance with the rules, but they know what’s really needed is security and reliability—and that’s not necessarily the result of bare compliance.
Fortnightly has closely followed the process of promulgating cybersecurity standards for several years, most recently in our February 2013 issue (See “NERC on a Wire: The reliability organization struggles with reforms, as FERC hovers,” by Jonathan D. Schneider). Amid all the technical and operational issues involved with critical infrastructure protection (CIP), one practical issue has posed what seems like an intractable dilemma: the need for collaboration and transparency in a what is a highly complex and sensitive process.
Communication involving security matters is a dual-edged sword. Stakeholders need to freely communicate so they can better understand the nature of security threats. But at the same time, those same stakeholders are loath to share information that could come back to haunt them in some way.