Analyze Cybersecurity Training programs at your own organization| Applied Sciences
Training:
Analyze Cybersecurity Training programs at your own organization (frequency, use of automation, certification after finishing, etc). How is cybersecurity training at your organization designed to successfully overcome resistance to changing users’ poor cybersecurity habits?
Should cybersecurity training be designed to correspond to different categories for individual roles and responsibilities in an organization? Explain your answer.
300 words
APA format
2 sources (attached)
Cohesive Cybersecurity Policy Needed for Electric Grid
National Defense, Commentary, (August, 2011)
Securing the electric grid is one of the key components of preventing terrorist attacks in the
United States and increasing the country’s resilience and recovery from such events. A secure
electric grid is one that is protected from errors, contingencies or assaults on computer systems
and networks.
There is no shortage of government policies for protecting critical infrastructure sectors from
network vulnerabilities. What is missing is a focused comprehensive cybersecurity policy for the
electricity sector.
Smart-grid technology, which may rely on computer networks to intelligently manage electricity,
makes this all the more important.
But electric grid security is a topic that transcends smart-grid applications and reliability
standards to issues of national security and international diplomacy. President Obama’s June
2011 “Policy Framework for the 21st Century Grid” by the National Science and Technology
Council noted that ensuring that the electric grid can recover from cyber-attacks is “vital to
national security and economic well-being.”
A comprehensive cybersecurity policy for the industry is essential for this sector to work with
the government to create and deploy technologies necessary to increase grid security and
resilience.
Current protection of the critical electric infrastructure sector is fragmented. The quasi-
government North American Electric Reliability Corp. (NERC) coordinates information sharing
and creates mandatory cybersecurity reliability standards. These are valuable, but cannot replace
a cohesive policy. A cybersecurity strategy must include at least six components: improving
information sharing; clarifying the role of industry players in responding to different types of
cyber-incidents; ensuring awareness of domestic and international law implications beyond the
reliability standards; implementing long-term planning; evaluating other countries’ cybersecurity
systems; and providing government funding.
In the United States, private companies own and operate most critical infrastructure assets such
as power lines and substations. While some may perceive defense against cyber-attacks as purely
a government function, given the private ownership, a public-private partnership is necessary.
Two elements of the government/electric industry partnership are the Information Sharing and
Analysis Center (ISAC) and the cybersecurity reliability standards. To improve the partnership,
NERC should use ISAC’s information sharing function and NERC should assist the industry
with determining the scope of cybersecurity protection to be applied by the private industry.
ISAC issues advisories and reliability or security threat alerts. NERC has been the coordinator of
the electricity sector since 1998. Often private companies do not have the resources or expertise
to conduct extensive evaluations. NERC addresses this need by monitoring private industry
information and analyzing it for suspicious activity patterns and potential threats. In turn, the
government can benefit from industry expertise and the private sector’s ability to implement
certain technologies more rapidly. The long established use of the ISAC as a security
information clearinghouse makes it an ideal platform for cooperation.
The industry’s public-private partnership involves mandatory reliability standards created by
NERC, the noncompliance of which can result in fines of up to $1 million per day. But simply
complying with standards is inadequate to create an electric system resistant to and capable of
rapid recovery from terrorist attacks. While the standards address perimeter access, anti-virus,
security event monitoring and remote access controls, they do not address the range of
appropriate responses in the continuum of cybersecurity events. Security problems range from
minor employee mistakes and internal program malfunctions, to Internet viruses and worms and,
in the worst-case scenario, to organized attacks by a sovereign state or a terrorist group to take
down the entire grid.
Government guidance can help industry better evaluate and plan security measures. Many
companies may not have the financial resources or may not be able to justify the extra expense
involved in defending against low-probability but high impact events such as an organized
cyber-attack. While industry cannot implement a security system on par with the U.S. military, it
can explore security upgrades that complement the existing system.
The existing public-private partnership encourages the electric industry and the government to
cooperate in creating guidance on the appropriate responses to different cyber-events.
Other concerns involve the legal implications outside of NERC reliability standards. Depending
on whether the electric industry utilizes passive or active defenses, such actions may trigger
different laws. These include domestic laws and even the international law of armed conflict. By
being sensitive to these nuances, the electric industry protects itself from liability, unanticipated
consequences, and improves its effectiveness in advancing the national interest of preventing and
recovering from terrorist attacks.
Passive defense measures include strengthening the system via encryption and firewalls,
facilitating recovery in the event of a successful attack, and educating users to behave properly
during a threat. In contrast, active defense involves neutralizing a perpetrator’s ability to attack
such as sending back destructive viruses.
On the domestic front, certain responses to cyber-events may be illegal. The Computer Fraud and
Abuse Act (CFAA) and the Electronic Communications Protection Act prohibit victims from
initiating investigations of their own. If a utility uses an active defense, then it should be aware
that the CFAA forbids private companies from intentionally causing damage in excess of $5,000
without authorization. Limited relief however is available under some circumstances for actions
taken in defense of property. Unfortunately, no government based institutional structure exists to
provide the private sector with immediate relief if they are under a cyber-attack. Reporting to law
enforcement authorities will only initiate investigations and allow for arrests later on, not
permission to immediately launch an active defense to counter or neutralize a network
penetration.
On the international front, cybersecurity self defense could be illegal if it rises to the level of
“use of force” or “armed attack” pursuant to the United Nations Charter and customary
international law. The fact that a private company may be more likely to use active defense than
sovereign states means its action can be mistakenly interpreted as hostile activity by the U.S.
government.
Domestic and international law implications add complexities. Utilities can create cybersecurity
programs that manage the variety of events if they consider the potential liabilities and
consequences of domestic and international laws. Such an understanding can do much to prevent
negative diplomatic side effects. Furthermore, effective industry cybersecurity programs will
advance the national interest of preventing and recovering from terrorist attacks. In the public-
private partnership of cybersecurity protection, utilities can benefit greatly from government
legal expertise.
The North American Electric Reliability Corp. has been actively addressing cybersecurity
challenges. In 2009, it informed the electric industry that it must improve identification of critical
assets because it was discovered that fewer than 63 percent of transmission owners identified at
least one critical asset. This basic critical asset identification problem must be resolved before
critical cyber-assets can be identified because if there are none, then the reliability standards are
useless. NERC has created a variety of pilot programs that assess the power companies’ abilities
to resist cyber-attacks and simulate war games.
In addition, a comprehensive policy should include long-term planning, evaluation of other
sovereign state cybersecurity protection measures, and federal funding assistance. A strategic
plan may include a framework where the industry will analyze certain characteristics to
determine when federal government or military involvement is required. It can also include
technical goals. Many computers in the electric grid network systems are not connected to the
Internet for security reasons. With the implementation of the smart grid, new connections are
being made, which requires new Internet security strategies.
The next task for the government is to study the computer networks and Internet systems abroad
to determine which tactics may work for the electric grid or for national cybersecurity. For
instance, the Chinese government uses the Great Firewall to scan for subversive material, but it
can also be used to disconnect Chinese networks from the Internet. Similarly, the Chinese power
grid can be disconnected from the net. It is worthwhile to evaluate how these tactics may work in
the United States.
Finally, the policy should contain a funding mechanism to close the gap between basic security
measures to ensure daily functions and measures for defending against cyber-attacks and warfare
in the most extreme circumstances.
Zhen Zhang is an attorney specializing in energy and environmental law. She is a global energy
fellow at the Institute for Energy and Environment at Vermont Law School.
