A recent audit from the office of the U.S. Department of Energy's Inspector General painted a not-so-rosy picture of efforts to secure the nation's power grid. But it also highlighted something of a conundrum in the world of compliance-how to take a truly risk-based approach when organizations have an incentive to underreport risk.
Inside the report (PDF), the department states its audit, which was conducted between October 2009 and November 2010, found existing CIP (critical infrastructure protection) standards do not always include controls commonly recommended for protecting critical information systems. But another problem was much more basic-the standards did not include a clear definition of what constitutes a critical asset.
"When outlining what attributes should be considered when proposing reliability standards, the (Federal Energy Regulatory Commission) noted in Order 672...that CIP reliability standards should be clear and unambiguous regarding what is required and who is required to comply," the report states. "The Commission noted that such clarity was necessary because users, owners and operators of the bulk electric system must know what they are required to do to maintain reliability. Despite this guidance, both Commission and NERC (Nuclear Energy Regulatory Commission) officials stated that they believed entities were under-reporting the number of critical assets and associated critical cyber assets."
For example, the DOE notes that in April 2009, then-NERC Chief Security Officer Michael Assante reported that only 29 percent of power generation owners and operators - and less than 63 percent of power transmission owners - identified at least one critical asset on a self-certification compliance survey. Subsequent filings by organizations have not shown significant improvement in the reporting of critical assets, despite the fact those assets could include such things as control centers and transmission substations, the report adds.
"Every so-called risk-based security plan starts with: 'identify your critical assets'," said Richard Stiennon, chief research analyst at IT-Harvest. "This never works in IT organizations because it requires someone to admit that the assets they are responsible (for) are not critical. Of course the DBAs (database administrators) say their Oracle database servers are critical, the e-mail guys say e-mail is critical, the Web team says the Web servers are critical. So you do not get the weighted differentiation you hoped for."
When regulations are involved there can be the opposite effect as businesses look to avoid some of the costs associated with compliance, he said.
"If you have to disclose a breach of critical health care information or PII (personally identifiable information) immediately none is critical," he said. "If you have to archive critical communications, suddenly no communication is critical. This is why regulation based on risk does not work either."