Thursday, February 7, 2013

One Step Closer: Announcing NARUC's Cybersecurity Guide for State Regulators 2.0

My last post on NARUC*, from June of 2012, was on the first version of their cybersecurity guide for state regulators, and the somewhat sprawling piece ended thusly:
I would like to end by saying that this was a document that could never fully please everyone, and if we remember it's a 1.0 version, then in that context it's an ambitious and excellent start. Let's start providing feedback now so that 2.0 can be even better.
Well guess what readers? Some of you and maybe some others provided feedback, so well and fully in fact that we find ourselves fewer than 9 months later with a new and improved 2.0 version, just released by NARUC after announcing it at its Winter Meetings (note sublime, almost hypnotic snowflake animation on landing page).

After reviewing the new document myself, and getting some input from the authors, while there are numerous small changes that help, the main difference seems to be an emphasis on having regulators develop an overarching strategy before diving into more granular elements like orders, requirements and rules.

To me this is creates a nice parallel to what some of the more forward leaning utilities are doing when they work to create security architectures. In both cases, whether on the regulator or the regulated side, the enabling concept is to craft a coherent larger plan before making point enforcement decisions or deploying point security solutions.  Unquestionably sound stuff.

But still there's this (a holdover from version 1.0). Question 28 under Personnel and Policies invites commissioners to ask: "Do you have a Chief Security Officer and do they have explicit cybersecurity responsibilities?"

I would arm the commissioners with the knowledge that while many utilities will reflexively say they have a CSO, that he or she is neither a true C (chief) nor a true O (corporate officer).  When there are more true executive level security chiefs out there, empowered to develop and enforce cybersecurity policy enterprise-wide (IT, Smart Grid and OT) then that will clearly mark a departure from status quo and the beginning of a more proactive, cyber risk management-based utility culture.

And maybe we'll see that called out in NARUC's 3.0 version. But for the moment, I think these folks deserve a pause to refresh. They've been producing high quality guidance at a very rapid pace ... kudos.


* For those unfamiliar with this acronym, it stands for the National Association of Regulator Utility Commissioners.  This is the national body that represents the electric, telecom and water regulating interests of the 50 US states. From a security point of view, NARUC and the state commissioners primarily watch the distribution elements of the grid, whereas the NERC CIPs in North America focus on large generation and transmission assets. You can check out the NARUC site by clicking HERE.

19 comments:

Unknown said...

If somebody wants expert take on the main topic of blogging next I advise him/her to go to this site, continue the fussy job.http://www.huffingtonpost.com/shane-paul-neil/big-data-bigger-breaches-_b_6109928.html

Justin Bieber said...

The stuff in this blog is in not only incredible but also providing the great knowledge to the people.payday loan with savings account

Unknown said...

Your style is so exclusive compared to other individuals. Thank you for posting when you have the chance, guess I would just make this bookmarked.
advanced loans

Chris Pratt said...

Thanks for compiling such nicest information in your blogs. Articles are very informative and hope again I’ll find more like that.single premium life insurance

Unknown said...

Cool blog site friend I'm about to suggest this to all my listing contacts.orogold

Anonymous said...

I am greatly thankful to you for this exciting blog; I am cheerful because of your smart working really. Sugar Land roofing

Unknown said...

Whatever you have provided for us in these posts really appreciative.pay day loans

Unknown said...

Whenever I have free time I read the blogs but today I got the unique blog page where I learnt many new things thanks guys! Lakeville bathroom remodel

Unknown said...

With polite greetings I want to say that this post is amazing!! Thanks online payday loans

Unknown said...

Your blogs and its stuff magnetize me to return again n again. niche profit full control review

Unknown said...

Guys you did great work. I’m very pleased to say that these are wonderful articles and blogs. Thanks for this. term life insurance

Unknown said...

I got your blog yesterday and still I am waiting for the new posts… this is quite satisfying blog so all guys come here and learn something special. cash loan

Unknown said...

Hurrah, this is the thing which I was searching for, what a cool stuff it is!!! water softener reviews

Unknown said...

Hey enormous stuff or pleasant information you are offering here.forklift train the trainer certification

Unknown said...

Excellent post! I had been fed up for a long time searching lots of sites, but now I have come on the right place. Thanks New York Brain Injury Lawyer

donnajacob said...

Hi Dear, have you been certainly visiting this site daily, if that's the case you then will certainly get good knowledge. Vine Vine Skin Care

donnajacob said...

This is really an excellent blog as well as its content. Vine Vera Reviews

Unknown said...

In actual fact the blogging is spreading its wings fast. Your write up is the best example of it. life insurance and depression

donnajacob said...

The quality of your blogs and conjointly the articles and price appreciating. vehicle wraps