No items found.

Don’t Give Compliance a Bad Name

December 6, 2022

When they first asked me to write something about the changing role of compliance in security decision-making, I was worried. I never want to promote a mindset where compliance is more important than security, because that’s obviously dangerous. Compliance is an outcome or a desired state. It’s not a substitute for security strategy.

But I did want to stand up strongly for compliance as a driver for change. More importantly, I wanted to take aim at many in our industry who continue to dismiss compliance and its effectiveness. As I thought more about it, the story became clearer in my head. More importantly, as a typical child of the 80s, I realized I already had a title ready in the back of my mind. In the iconic words of Bon Jovi: SECURITY PRACTITIONERS, YOU GIVE COMPLIANCE A BAD NAME.

Often misunderstood, frequently underappreciated

As I already mentioned, the misgivings about compliance aren’t hard to understand. Compliance and security teams have historically pursued separate outcomes and answered to different stakeholders. Compliance teams have typically been perceived as checklist-driven, where security is about being adaptive and intelligent in real time.

For all the claims about compliance rules and their ineffectiveness, a look at other less-regulated verticals is interesting. Although early compliance rules were largely an administrative burden that sometimes clashed with security and safety priorities, I do believe they ultimately achieved their goal by raising security awareness. This is in stark contrast to non-CIP infrastructure like pipelines regulated by TSA which have been plagued with both compliance and security problems. It’s also probably safe to assume that without recent triggers like Colonial Pipeline and other geopolitical events, we might still not have any guidance here at all. On balance, maybe all the work and collaboration that goes into achieving compliance goals does matter after all.

But rules alone aren’t enough to shift culture, leaving teams operating in silos. It’s no surprise that this disconnect and distrust never serve security nor compliance outcomes very well. The good news is that fundamentally outdated thinking on compliance is a big part of the problem, and that’s something we can work to fix.

Taking a new look at NERC CIP

Experts are right. Compliance frameworks, NERC CIP included, aren’t robust enough on their own to drive a comprehensive security program. They can’t magically align decision-makers on prioritizing challenges and solutions. But they can get (and keep) everybody moving in the right direction, strategically and operationally.

It gets budgets and brains on board

One of the things NERC CIP does is drive accountability, in particular through the requirement to appoint a CIP Senior Manager. In many organizations, this ends up being a member of the C-suite or other key leadership. This puts them on the hook for overall program success. It raises awareness across the organization, elevating conversations around security to the highest levels of leadership, helping to align teams around common priorities and collaborative decision-making.

It’s100% Aligned With Risk-Based Security Thinking

If compliance can help drive consensus and alignment about shared priorities, what about strategies and tactics?

Modern risk-based security is driven by the belief that while all assets are valuable, some are more valuable than others. It’s also a dynamic view since risk levels will change over time. NERC CIP guidance doesn’t get this prescriptive, at least not off the shelf. But it doesn’t mean that it’s out of step with current thinking?

I’d argue almost the exact opposite. At an asset level, NERC CIP guidance is about focusing on your highest value targets, in this case grid-connected assets. The value of the asset to the stability and reliability of the grid directly correlates to risk. Instead of identifying your crown jewel data stores like we do in information security, the bright line criteria from CIP-002 establishes engineering based criteria to identify the most impactful assets. It even allows for the local experts to make overrides to bring in assets that would otherwise slip through the cracks. This scoring is then translated into security defenses in depth, of varying degrees by application of the facility risk weighting. It’s another way NERC CIP helps security teams drive meaningful movement towards best practices and solutions.

It's an evolving work in progress

Like any good security guidance, NERC CIP is a work in progress. Since the cyber rules became mandatory almost 15 years ago, each update has helped close the gap between compliance and security.

  • CIP 2 leveraged the power of baseline asset scans to determine risk across the environment
  • CIP 3 tried to get prescriptive with security management controls, but mostly demonstrated what happens when regulators overreach
  • CIP 4 focused on users and identity
  • CIP 5 and 6 focused on shifting perimeters (a key tenet of zero trust, too)

We can see an evolution in thinking over time, just like with security. And of course, the list keeps growing. Compliance, like security, can’t sit still, and the scope of CIP continues to expand, covering everything from physical plant security to supply chain and third-party risk, and even lately the changing face of the facilities on the grid to include a look at inverter-based facilities (and hopefully carrying leadership along with it).

A Better Kind of Checklist

Compliance rules are putting money into security and helping raise the level of cultural education and awareness. Security and IT organizations need to seize this momentum and leverage NERC CIP guidance to drive some security basics.

Here’s a good way to start—with some NERC CIP mandated security basics.

  • Highlight perimeters, both electronic and physical, around and between environments, identifying access points for both.
  • Next, it’s time to scan for assets. NERC CIP gives you some granularity beyond BES, including transient cyber assets. This all maps directly to appropriate controls.
  • Then it’s time to scan for applications and software. This is NERC CIP required and an input to later vulnerability assessments.
  • Additionally, NERC CIP 4 also requires regular review of authorized users and permissions. This is essential to preventing permission creep and moving towards a ‘least privilege’ standard as defined by modern zero trust thinking.
  • Last, but not least, NERC CIP 10 helps the organization focus on change and configuration management. Just like with assets, a baseline scan here helps us focus on watching for change going forward.

This isn’t just security best practices in action—it’s compliance--and you have NERC CIP to thank.

Singing a new tune on compliance

I’m not naïve about the power of compliance. There will always be teams who will do the bare minimum when it comes to security, and compliance can’t change that. But we must stop treating compliance like a useless academic exercise. NERC CIP showed us that it can play a vital role in driving both accountability and action across the organization.

And that’s good news for everybody.