In August 2014, France’s Network & Information Security Agency (ANSSI) publically unveiled plans to “make its critical infrastructure more resilient to cyber attacks.” The rules and guidelines established by ANSSI impact France’s entire critical infrastructure supply chain, including control system asset owners, operators and IT administrators, system integrators, service providers and product manufacturers. While these regulations were announced with minimal fanfare, ANSSI formulated what would become the European Union’s (EU) first mandatory critical infrastructure cybersecurity installation and maintenance requirements.
Nearly one year later, the German Parliament followed suit, passing regulations intended to hold the owners and operators of critical infrastructure accountable for maintaining strict cybersecurity standards. However, this regulation diverges from French law, adding provisions that mandate penalties up to €100,000 ($114,000) for noncompliance. As a result of the legislation, more than 2,000 German organizations were given a two-year grace period to comply with the complex certification requirements. Each organization must now also obtain clearance from the country’s Federal Office of Information Security. The cascading effects of the regulation will also impact non-German organizations within the supply chain.
While there are some critics speaking out against the law, Germany’s Interior Minister, Thomas de Maizière, captured the majority viewpoint when he described the law as “a central component of the public and internal security.” While some see the law as a show of global leadership, others see Germany having promulgated the world’s first critical infrastructure cybersecurity regulations enforceable by economic penalty.
Despite the precedent set by its elected counterparts in France and Germany, the US Congress has not taken broad action to assert similar authority to facilitate critical infrastructure cybersecurity policy. The only instance of similar action came through the Energy Policy Act of 2005, whereby the Federal Energy Regulatory Commission (FERC), which is empowered by Congress, approved revisions to the definition of the bulk electric system (BES) to “provide greater clarity, consistency and improved reliability by focusing on core facilities that are necessary for operating the interconnected transmission network.”
As a result, FERC granted the North American Electric Reliability Corporation (NERC) authority to coordinate with BES partners to issue the NERC Critical Infrastructure Protection Cyber Security Reliability Standards (NERC CIP). While NERC-CIP doesn’t span industry like Germany’s cybersecurity law, it’s nevertheless widely recognized as precedent setting since it directly acknowledged and set forth requirements to address cybersecurity risks to private-sector industrial control systems.
The energy sector and its bulk power segment aside, Congress remains deliberately indecisive due in large part to the influence of non-government owned and controlled infrastructure held by the private sector. This is despite reports that critical infrastructure operators are reporting heightened levels and frequency of cyber attacks.
Later this year, the Senate is poised to debate the National Cybersecurity and Critical Infrastructure Protection Act, which already has been passed by the House. This legislation would amend the 2002 Homeland Security Act to “facilitate a national effort to strengthen and maintain critical infrastructurefrom cyber threats,” among other provisions to “prevent, mitigate, respond to and recover from cyber incidents.”
With growing indicators of a proliferation of advanced threats targeting critical infrastructure, the Department of Homeland Security (DHS) and other agencies in the US Intelligence Community are facing mounting pressures to increase information sharing with the private sector. At the same time, Congress is being pushed to at least debate legislation and make its intentions for governance known.
Understanding critical infrastructure in the Unites States & Germany
In 2014, the White House released what has become the most accepted definition of critical infrastructure — President Obama’s Executive Order 13636. Under the order, critical infrastructure is defined as the “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety or any combination of those matters.” This carried over into the resulting National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) that has been promulgated as voluntary guidelines for all industry sectors to follow.
The definition does not draw a distinction between government and privately owned assets, yet the United States is fairly unique when compared to other countries since nearly 85 percent of its critical infrastructure is privately owned, operated or a combination thereof. This private ownership spans most industry sectors and application types, including power/utilities, oil and gas, chemical/pharmaceutical, critical manufacturing, financial services, telecommunications, transportation and aviation.
Free-market principles typically steer US industry — principals that include business objectives to maximize shareholder wealth, reduce organizational risks and maintain corporate reputation and competitive edge. This has led private industry to be slow to adapt and protect itself against the evolving threat landscape affecting critical infrastructure, since cybersecurity investment is often perceived to offer little return on investment.
In stark contrast, German critical infrastructure, which includes “transportation, health, water utilities, telecommunications providers, finance and insurance firms,” is more broadly owned, operated and influenced by the state. Akin to the country’s nationalistic mandates for education and the universality of its healthcare, the integrity, reliability and accountability of its critical infrastructure remain the sole responsibility of the government and its security agencies. In fact, there are minimal financial motivations or private sector obligations to combat German laws from being implemented once an edict is delivered.
Within the EU, the products and services created and distributed by critical infrastructure facilities in one country are often shared with other member countries. For example, Germany is a large exporter of power and renewable energy across Europe. As such, the economic conditions for regulation within the EU are positioned favorably to facilitate reliable delivery to those who depend on energy resources.
The United States, however, doesn’t share significant critical infrastructure resources with Canada or Mexico. Where it does, such as with the BES and telecommunications sectors, it is not in the form of government trade, but rather it is executed as a business transaction led by the private sector with limited governmental oversight.
Germany, like much of Europe, embraces nationalistic tendencies and has an economy and industry that make widespread regulations more enforceable, acceptable and rapidly deployable. Overall, the German government and its citizens hold a different perspective than the United States on what is deemed an appropriate level of governmental influence, especially on commerce.
Risk reduction and the role of the US government
A question the US government needs to definitively answer is not whether critical infrastructure cybersecurity regulation is necessary; but, rather, whether laws or regulatory pressures have the capability to notably reduce risk and make citizens and businesses more safe and secure. It’s a complicated question, especially with cybersecurity being a cross cutting problem between local, state and federal agencies.
Consider for a moment if regulation results in nothing more than a least common denominator for establishing a security posture to critical infrastructure systems. An unintended consequence of such would certainly be a more educated adversary who will be aware of precisely where a sector’s protections are weak.
In Germany, the legislation is in the public domain, so threat actors’ intent on affecting critical systems have presumably gained yet another opportunity to gather intelligence on implementation timelines, uniform security controls and design practices.
The regulations implemented by Germany were deemed the government’s best way to mitigate risks, but that doesn’t mean the same approach can be effective, or should necessarily be implemented, in the United States. The challenge with US critical infrastructure cybersecurity is its overlap as both a national security and public safety issue, even though the private sector maintains most of the controls.
But, as long as threat actors have the means, motive and opportunity to disrupt, there is no legislation or regulation on Earth that can guarantee safety … or truly assure adequate security for critical infrastructure.
Instead, through industry and government collaboration, both entities need to take appropriate actions to protect not just the bottom line, but to also protect all who depend so greatly on the safety and reliability of the products and services that constitute critical infrastructure.
Michael Assante is the co-founder and chief security strategist at NexDefense, and the ICS and SCADA lead at the SANS Institute. Doug Wylie is a 20-year veteran of the ICS security industry, and currently serves as the vice president of product marketing and strategy at NexDefense.
