In my younger (and arguably more reckless) days, I occasionally joked that “STOP” signs were merely an acronym for “Slow To Observe Police.” Although a tad disrespectful, there is an element of truth to it. I’ll use the analogy of traffic control signals (e.g. stop signs and traffic lights) to make three points that I think relate well to security standards:
- Strict compliance with traffic control signals is not always necessary to be safe.
- It is possible to be strictly compliant with traffic control signals, yet still drive recklessly.
- The presence of police officers perceptibly alters driving behavior in ways that do not always increase safety.
First, in many situations a complete stop at a stop sign (“complete” meaning all forward motion has fully ceased) is not necessary. Most drivers perform “rolling stops” at intersections with clear visibility, and no cross traffic. This is perfectly reasonable. It is also non-compliant. Similarly, before becoming legal in many cases, it was common practice for drivers to make a right turn at a red light if no traffic was oncoming from their left. This is also reasonable, and thankfully, now legal in many areas.
Second, Even the most compliant drivers are capable of being unsafe. It is possible to be driving at the speed limit and not see a child running into the street. It is possible to be mentally distracted and react too late to a vehicle stopping in front of you. One might continue the use of tires that have legal tread depth, but are unsafe for given conditions. There are many ways to be reckless with an automobile without running afoul of written laws.
Third, it is a frustrating reality that most people drive differently in the presence of police officers. This is often a bad thing. Slamming on the brakes while driving at speed in highway traffic is generally not a good idea, but this occurs often at the sight of a police car, or the beep of a radar detector. Most people will not exceed the speed limit when being followed by an officer, even if driving “the limit” would impede the normal flow of traffic potentially causing issues later due to congestion or road rage.
To put this in the context of security regulations, let me restate the original points:
- You can be reasonably secure and still be non-complaint.
- You can be compliant, yet still be insecure
- Compliance enforcement programs can lead to unnatural and detrimental actions on the part of the regulated.
For illustration, I will refer to the security standards with which I am most familiar, NERC CIP. There are common complaints about the CIP standards that relate to these points. On many requirements, even a strong security program can have violations based on one oversight. In other cases, weak security controls can be deemed compliant because they meet the letter of the standard. And finally, there are numerous examples of entities removing functionality or relocating equipment, possibly to the detriment of reliability, just to avoid compliance obligations.
The point of this post is not to disparage the NERC CIP standards. I’m actually going to defend them in this case, not because I believe they are particularly good, but simply because I believe they are misunderstood. A key problem around the CIP standards is the perception that they are intended to achieve security for the bulk power system. See above. Security standards don’t make people secure any more than traffic laws make people safe drivers. Such standards, like traffic laws, exist for three reasons:
- Provide awareness of situations requiring diligence
- Provide guidance on acceptable performance relative to such diligence
- Provide accountability and liability in the event of an incident
Do the NERC CIP standards meet these objectives? Additionally, like traffic laws, security standards should be monitored and enforced with sufficient flexibility to allow for prudently incurred, minor violations that do not impact the overall objectives. Are the NERC CIP standards enforced in this manner? These might be questions the SDT could ask itself as it embarks on the next phase of standard development. I’ll be attending the SDT meeting in Columbus, OH on Jan 18-20, and will be interested in learning their direction for the next phase of development. If you’re there, say hi, otherwise I can be reached at steve at energysec dot org.