# Opener

Moving Above and Beyond Compliance, Part 1: Compliance Firefighting

Published by Axio

Critical infrastructure is a clear target for cyber adversaries. It includes all assets necessary to keep a society functioning, such as our power grid and water systems, which are vital to the well-being of citizens, the community and the economy. The energy sector is heavily interconnected and an attack on the power grid can leave a significant impact. Adversaries’ attempts on OT systems enables them to use technology to carry out a physical attack that can impact national security. Cyber-attacks on our critical infrastructure have accelerated during COVID-19, leading to an increased implementation of standards like NERC CIP. Scrambling to comply with standards like NERC CIP, organizations often find themselves compliance firefighting.

The Natural Reaction to New Legislation

The introduction or change in compliance standards prompts the knee-jerk reaction of compliance firefighting. As mentioned by our co-founder and president, David White, in our recent webinar co-hosted with Archer. When a cyber event occurs, it triggers lawmakers to implement standards that aim to prevent future events. As organizations react to these new mandates, they are putting in controls and fighting “fires” of their own. Unfortunately, sometimes companies get caught in the fire when they do not or are unable to implement these controls to meet these NERC compliance standards.

Large Utilities Fined by NERC

NERC compliance is more than just a check-the-box type of requirement. Meeting NERC compliance can often be cumbersome, and violations can result in fines. Duke Energy was fined $10M by NERC in 2019 due to security violations, largely self-reported. Duke was not alone in the fire, PG&E, DTE Energy and City Utilities of Springfield, Missouri were also found in violation of NERC compliance standards. Recently, in early 2020, another unnamed company was also fined $450,000 due to violations. Violations are not uncommon and usually the companies in violation are anonymized to encourage self-reporting and to protect critical infrastructure.

NERC’s strict reinforcement of CIP standards is meant to reduce the potential of these attacks, and more standards will continue to be implemented as the threat landscape evolves. For example, NERC CIP 13, went into effect in July and is meant to secure suppliers working with the energy sector. Suppliers will have 18 months to become compliant or they will face penalties. With this new NERC CIP 13 standard, organizations will have another “fire” to fight and some companies may not put the fire out in time to avoid penalties.

Proactive Approach to Reducing Cyber Fires

“We’ll never get completely out of the firefighting business as it relates to compliance,” said Mark Brahmstadt (Director of Business Development at Archer) in our joint webinar. He went on to say, “Firefighting will stay a natural part of the compliance cycle. However, companies can move from the default of firefighting to being just a component of what they’re working on.”

The first step towards a reduction in compliance firefighting is a proactive approach toward cybersecurity.With more potential cyber events, more NERC compliance standards will be introduced and upheld to reduce risk. Companies can get ahead of compliance by considering a proactive approach to implementing controls. A proactive approach can allow an organization to reduce their susceptibility to large, significant events and prioritize their investments.

With a tight budget and a limited amount of resources, companies may be skeptical towards investing in unmandated controls. However, this proactive approach can possibly reduce risk and save costs in the long run. Instead of rushing to implement controls, there are tools available to quickly prioritize which cyber risks matter most and deserve to be addressed first. And these tools don’t require a significant investment in time and resources. In our webinar, we walk through a case study showing how this is possible with our Axio360 platform.

Tune into part two of this blog series to learn about a FERC staff white paper that goes beyond NERC compliance and pushes organizations towards industry best practices. This white paper outlines what those best practices are and the incentives that could be provided to organizations. The implementation of best practices can possibly reduce the amount of “fires” cyber leaders have to put out. Find out how Axio360 can help you along the way.

The energy sector isn’t the only industry at risk. Read our recent blog about the Capital One data breach that put cyber risk management in the spotlight.