Critical Infrastructure Security, Industry Regulations

Why regulations alone won’t make our critical infrastructure more secure

Today’s columnist, Pritesh Parekh of Delphix, argues that security teams can prevent more major ransomware attacks like the one on Colonial Pipeline by developing a back-up strategy that includes air gaps and virtualization. (Photo by Drew Angerer/Getty Images)

Critical infrastructure has become more vulnerable than ever to cyberattacks as adversaries are targeting everything from water supplies to oil pipelines.

Attacks such as the one on Colonial Pipeline served as major examples of how these incidents can bring major industrial operations to a standstill. They also served as a warning bell for those responsible for securing critical infrastructure and a dinner bell for threat actors looking to hone their craft and make a huge impact – and there’s no turning back.

After the Colonial Pipeline attack, the government sprang into action. Executive directives, 90-day plans, and the threat of regulations rang across industry to mandate action from a private sector that’s woefully unprepared to handle the next waves of cyberattacks. 

The debate quickly turned to how the government should increase regulations and how many they should mandate. However, in this lies the real threat: If we overfocus on regulation, we’ll get the opposite result of the goal. We’ll wind up increasingly vulnerable to cyberattacks, rather than more protected.

We can regulate to compliance, but we can’t regulate our way to security. Government regulations have their place but will never be “the answer.” There's a difference between being compliant and being secure. Regulations check if risk control exists, rather than assessing its implementation. Furthermore, attackers fueled by political, ideological, economic, and personal goals are vastly more motivated to innovate, adapt, and attack than industry can defend itself.

Protecting critical infrastructure systems and devices

When we are physically attacked, we expect government to step in. However, in cyberspace, government cannot build digital barriers to protect industry – the digital frontlines are the private sector companies that run critical operations.

Regulations set a baseline, start conversations, and provide frameworks for action. Unfortunately, many companies wait for the government to lead the change. Worse yet, there’s a false sense of security that if a company becomes compliant, it's safe. It’s dangerous for organizations to become complacent once they’ve met the list of regulatory requirements. Cyber criminals only have to get it right one time –organizations must get it right every time.

Why we must depend on market drivers

Companies won’t spontaneously invest in industrial cybersecurity. To push real change, cybersecurity technology and services must get injected into the core market drivers that fuel companies. When market valuations, competitive advantages, ability to bid, and key financial performance indicators depend on a company’s cybersecurity posture, we’ll see real investment.

The nation needs sustained, significant and clear market drivers, rather than one-time fines. If the industry demands proof of elevated cyber hygiene to bid on big contracts, the entire board of directors will bang on tables demanding better cyber initiatives.

What the government can do now

Regulations have been the traditional hammer the government uses to force change. However, the government has a toolbox of support options. From creating forums and mechanisms for information sharing, innovation investments, and industry collaborations to develop and promote solutions, the government can play a huge role. Government has to walk the fine line of integrating cyber into key market drivers without relying solely on regulations. This perspective shift will bring new possibilities.

Some ways government could facilitate cyber into market drivers include:

Build a maturity rating system: Companies would get judged on how well they implement a control, rather than if they check a box. The government could invest in its development and hand it over to the private sector for implementation. We could use the rating system across industries – from insurance companies to market analysts as a way to gain insight into how well a company manages their cyber risk.

Leverage purchasing power: The government can influence market drivers through its own purchasing and acquisitions. By demanding proof of cyber best practices as part the purchasing role, it would lead-by-example in positioning cyber as a competitive advantage.

Work the supply chain: The government can work across supply chains to promote cyber as an important component to risk management and have an immense impact on each supply chain link, demanding better cybersecurity from the link before it.

 Identify opportunities across industries: The government has deep ties and enumerable levers within each industry. It can work with industry to identify further levers to help promote and cultivate market-driven cyber change.

What organizations can do now

Organizations should demand that prospective partners and suppliers along the supply chain demonstrate good cyber hygiene practices as part of their due diligence and operational risk management. They’ll soon realize they can improve their bottom line and feel confident that their business partners are as proactive as they are, while also protecting their reputation and avoiding future attacks. This ecosystem of solid cyber protection demonstrates to boards of directors and shareholders alike that the company’s reputation is safe from even the smallest cyber incident.

Ian Bramson, global head of industrial cybersecurity, ABS Group

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.