Cyber Security

Balancing Act: Regulation and Incentives in Cybersecurity

Cybersecurity Blog Series: Part 2

How do regulation and legislation impact global cybersecurity practices? What about incentives? In part one of this series, I discussed the importance of standards in preventing cyberattacks, particularly in our increasingly industrialized digital and IoT world. Here, I’ll explore regulations and the role of incentives in cybersecurity.

While regulations and legislation vary by country, cyberattacks are border agnostic. Attacks—both attempted and successful—targeting a facility in any one country can have detrimental consequences worldwide. Therefore, it makes sense to put in place international guardrails and agreements on cybersecurity best practices.

This includes initiatives from the International Society of Automation (ISA), including IEC 62443, a set of standards developed by ISA99 and International Electrotechnical Commission (IEC) committees to improve the safety, availability, integrity and confidentiality of components or systems used in industrial automation and control. Adopted by many countries, these standards are utilized across industrial control segments.

However, standards bodies are just one piece of a broader matrix of players, including government (and the legislation they drive), industrial plant operators/owners, vendors/suppliers and academia. All of these must collaboratively tackle the monumental and ever-evolving task of cyber attack prevention.

Legislation 

With many of today’s attacks perpetrated by malicious actors, such as nation-states, who have unlimited time, resources and funding, cyber-defense strategies and protocols set by the government can make an impact. Take for example the U.S. National Institute of Standards and Technology (NIST) framework, which is the authoritative source for cybersecurity best practices and recently expanded to address evolving identity management and supply chain topics.

Even more recently, on Nov. 28, 2018, the U.S. House of Representatives passed the SMART IoT Act in a unanimous vote, sending the bill to the U.S. Senate. The legislation, introduced by Rep. Robert Latta (R-Ohio), tasks the Department of Commerce with studying the current internet-of-things industry in the United States. The research would look into who develops IoT technologies, what federal agencies have jurisdiction in overseeing this industry and what regulations have already been developed. The outcome of this Act is a potential opportunity for positive reinforcement of fundamental cybersecurity practices to be written into law, protecting individuals and industry.

As a region, and already well established, North America also has the North American Electric Reliability Corporation (NERC) standards, which ensures by law that power system owners, operators and users comply with a specific set of standards that are meant to protect the power grid from both physical and cyberattacks. The Federal Energy Regulatory Commission, an agency that issues fines for noncompliance, backs NERC in the United States.

This is also true around the world. Germany’s IT Security Act is responsible for protecting the critical German infrastructure. In the United Kingdom, the responsibilities for safeguarding and maintaining Critical National Infrastructure (CNI) continue under the Civil Contingencies Act of 2004. The U.K. government’s work around CNI mostly takes the form of non-mandatory guidance and good practices. Their approach can best be understood by reading the U.K. National Cybersecurity Strategy document. More specific to the Industrial Automation Control Systems (IACS) industry in the United Kingdom is the excellent operational guidance document Cyber Security for Industrial Automation and Control Systems.

The European Commission published, in the autumn of 2017, a proposal for a regulation that clarifies the role of ENISA (the European Union Agency for Network and Information Security) and introduces the idea of an Information and Communication Technology cybersecurity certification, or “Cybersecurity Act.” This is a good idea, similar to IEC 62443, that seeks to standardize evaluation and certification schemes.

Other countries have similar standards or are in the process of creating them. In countries like France, standards are also carrying the weight of law.

Promoting Incentive-based Regulation

While there are different schools of thought on what works best in the regulation vs. incentive debate, it doesn’t have to be an either-or scenario. Do end-users need oversight? Yes. Do we all agree keeping equipment, software and operating protocol regularly updated is a critical step in prevention? Absolutely. Is there only one way to achieve this goal? No. Consider incentive-based regulation:

A government regulation that is designed to induce changes in the behavior of individuals or firms, in order to produce environmental, social, or economic benefits that would otherwise be prescribed by legislation[1].

An approach that incentivizes end users to adopt the latest equipment, software, training and operating protocols with national cybersecurity funding that ties back to national priorities would give policymakers the support they need to enforce current and encourage new regulation that ties back to common priorities. This tie-back is important because it fosters regulatory compliance while driving company priorities.

How can regulatory incentives be introduced to promote investment? Any major investor-owned utility looks for investments that can create the most value for their shareholders. In cases where cybersecurity-driven modernization investments are not the best choice regarding shareholder value, we should consider federal incentive mechanisms that encourage such investments when they are in the public interest. These mechanisms come in many forms. Most simplistically they could take the form of tax incentives or abatements. Investments in improving cybersecurity in some regulated sectors would come with tax write-offs.

Other, more complex incentives include things like rebates for specific investments through federally funded programs, price caps (a form of performance-based rate-making) and performance-based incentives tied to specific cybersecurity-related goals that can be considered.

Regardless of how the incentives are funded and structured, the scenario can be mutually beneficial for shareholders, owner/operators, providers and the public alike. The government encourages investing in and acquiring modern industrial automation and control systems and solutions that help prevent potentially catastrophic events from occurring; the plant or utility receives funding to reinvest in the latest technology, staff training and liability management initiatives.

In my next post, I’ll delve into the very interesting point of cybersecurity risk management accountability.

As with most aspects of cybersecurity prevention, balance is often the best practice. As a collaborative industry, we should explore a balance of regulation, standards and incentives.

For more insight from Schneider Electric on cybersecurity, download our whitepaper: “Cybersecurity Best Practices.”

[1] Oxford Reference – http://www.oxfordreference.com/view/10.1093/oi/authority.20110803100000562


One Response

Leave a Reply

  • (will not be published)