ISA Utilities Sector Specific Recommendations and the Presidential Commission on Enhancing National Cybersecurity

June 7, 2017

ISA Telecom Sector Recommendations

Source: Chapter 8 of The Cybersecurity Social Contract: Implementing a Market-Based Model for Cybersecurity

Presidential Commission on Enhancing National Cybersecurity

Enhance Information Sharing Between Utilities and The Federal Government

“Utilities, as highly regulated entities, have a long history of collaborating with government. But there are obvious caveats. They require a better understanding of how the government and the national security apparatus use the information they supply, and what protections will be put in place to keep sensitive data confidential. These issues will need to be addressed in order to foster sound public-private partnerships and a fundamental relationship of trust and collaboration between the private-sector stakeholders responsible for delivering our nation’s electricity and the government.” Commission Action Item 1.2.3: The federal government should provide companies the option to engage proactively and candidly in formal collaboration with the government to advance cyber risk management practices and to establish a well-coordinated joint defense plan based on the principles of the Cybersecurity Framework. (SHORT TERM)

Commission text: Even though closer and more substantive public–private sharing of risk management practices shows great promise in improving overall cybersecurity, this approach continues to be hindered by companies’ concerns about increasing their exposure to legal actions. To address these impediments to helpful collaboration, DHS should work with industry to identify changes in statutes, regulations, or policies that would encourage participating companies to more freely share information about their risk management practices by protecting relevant documents, communications, or deliberations from:

•         public disclosure under Freedom of Information Act (FOIA) or state transparency laws;

•         discovery in civil litigation;

•         use in regulatory enforcement investigations or actions;

•         use as record evidence in regulatory rule-making

·         processes; and,

•         waiver of attorney–client privilege.

These protections should be implemented under the statutory Protected Critical Infrastructure Information protections administered by DHS. … Using the Cybersecurity Framework approach as a basis, regulatory agencies should adopt policies that incorporate protections into their engagements with regulated entities. Furthermore, Congress should pass legislation updating and expanding these protections beyond critical infrastructure sectors and regulated entities.



Encourage Public-Private Collaboration to Manage Vendor Risks

“The grid is composed of assets from vendors, both hardware and software. As such, vendors must play their part in the security of the grid. A new balance needs to be struck between the commercial needs of vendors, who would prefer not to reveal the workings of their products, and the needs of electric utilities to both ensure assets are not prepackaged with malware and understand better how assets would behave if they were to be controlled maliciously. Utilities need more transparency into the assets they install onto their grids, and they need to be able to modify those same assets to test the possible impact of malicious tampering in real-world settings.” Commission Action Item 1.2.4: Federal agencies should expand the current implementation of the information-sharing strategy to include exchange of information on organizational interdependencies within the cyber supply chain. (SHORT TERM)

Commission text: While some private-sector organizations are diligent in addressing cyber risks to and through their cyber supply chains, many others either are unaware of the risks or do not have the information and resources necessary to implement an organizationally integrated and robust cyber supply chain risk management program.