SecureIT – National Cyber Security Laws and Industrial Control
SecureIT blog series; previous articles:
- Basic Cyber Defense
- Create Complex Passwords that are Easy to Remember
- Who left the Backdoor Open?
- Cyber Security for Plug-ins
Introduction
New cyber security laws intended to protect critical infrastructure are being enacted by countries across the globe. Industrial Control System (ICS) users, implementer's, and vendors can no longer ignore trends toward national standards for cyber systems for Industrial Controls. Today, large countries like the United States, Germany and China have all enacted cyber security laws requiring vendors and implementer's of Industrial Control Systems to take on new compliance burdens. Even the smallest Industrial Control users must consider cyber security compliance to local laws in their ICS operations.
Overview of Cyber Law Trends
The first truly modern Cyber Security Law for critical infrastructure and Industrial Controls was passed in Germany in 2015. This law was the first to be called “strict” in that it has language to oblige private firms and German federal agencies to certify systems against cyber security standards. While there have been many countries who have passed laws to protect government systems, this was the first to require private firms to adhere to cyber security requirements. While Germany has pursued middle ground in cyber security Law, the United States has taken a more hands-off approach to private sector cyber security requirements. With the exception of US Electrical Grid operators, most US Cyber law are of the recommendation type and streamlining of cyber threat sharing like what is codified in the Cybersecurity Information Sharing Act of 2015 (CISA). That law mostly allows for all companies to share cyber threat data without concern of US Anti-Trust violation, more of this law will be discussed below. Also, a more recent type of law from China for Network Operation Security was passed. This law will have sweeping impact in how companies do business in China and its features will be outlined as well.
Key Point – Most modern Industrial countries are revisiting their cyber security related laws and making them stricter in terms of systems that affect critical industrial infrastructure.
Why are countries passing new Cyber Law? – The Security Goal
In the aftermath of several Critical Infrastructure cyber security breaches like the German Steel Mill, Stuxnet, and Ukrainian power grid it’s now at the forefront of national policy to prepare a countries critical infrastructure for potential cyber-attack. The goal for countries is to prepare public and private facilities against most of the threats that would cripple a nations industries. This preparation is easy to execute in public agencies because all that is needed is a security policy change by the government itself. But, private industries have been a bit of a problem for many countries to mandate cyber security requirements due to fear of cost impacting a nation’s industrial competitiveness. This concern is so large in the United States that most of the security requirement language was removed from the law that became the Cybersecurity Information Sharing Act. China seems particularly interested in creating a law framework that is very strict to companies doing business in China.
United States Cyber Law – Cybersecurity Information Sharing Act of 2015
In many ways the Cybersecurity Information Sharing Act (CISA) has the smallest impact of any current National Cybersecurity Law currently being implemented by National Governments. The CISA’s main provisions make it easier for companies to share personal business information with the government. The law creates an information sharing system between government and private companies allowing the free flow of Cyber Security Threat information. The law makes Cyber Security information easier to share via exclusions from Anti-Trust and Privacy laws to better allow private companies and government collaborate on Cyber Security Threats without fear of prosecution or censure. It is worth noting that Industrial Control systems are not specifically called out in CISA nor is Critical infrastructure. While the Act is modest in its actions required of private industry, CISA is viewed by many in US policy circles as an initial and vital first step in the process to get a new and more expansive Cyber Security law enacted in the US.
German Cyber Law – IT Security Act
While the CISA in the US is considered an initial effort at National Cybersecurity policy, the German IT Security Act is a sizeable law requiring a great deal of both the National Bureaucracy and private companies. (Note, ‘IT’ is an acronym for Information Technology) The IT Security Act defines ‘Critical Infrastructure’ as equipment and plants which are of great importance to the functioning of the community, because their failure could lead to shortfalls or threats to public safety. Further the IT Security Act enumerates the following sectors for special concern: Energy, Information Technology, Telecommunications, Transport and Traffic, Health, Water, Food, Finance, Insurance.
The exact scope of cyber security regulation in these sectors will be determined by additional legislation, but obviously Industrial Control systems are involved with most of these sectors. And certain service/sector providers have been explicitly exempted from implementing minimum IT security measures, and reporting cyber incidents. As the law is currently worded many companies and organizations in the above sectors must start implementation of minimum IT security measures and start reporting cyber incidents.
The specific new obligations to critical infrastructure operators are:
- Implement appropriate organizational and technical safeguards
- Regularly Prove that they fulfill the security requirements (at least every two years, e.g. via security audits)
- Designate a contact point for the German Federal Government’s BSI
- Notify the BSI immediately of any significant disruptions of the availability, integrity, authenticity and confidentiality of their IT systems
The German IT Security Act is a robust law requiring a great deal of public and private organizations. This law represents a firm step towards Central National Government control of Cyber Security Preparations and further paves the way to mandating Cyber Security Technical Safeguards for critical infrastructure systems.
Chinese Cyber Law – Network Operation Security
If we were to consider the German IT Security Law robust, one might say that the Chinese Cyber Law of 2016 is possibly overbearing in its scope and impact. While the new China Cyber Law does have some notification of Cyber Incidents language. The purpose appears (unlike the German Law) to be to tactically and defensively stop any network attacks during their execution. The reporting of Cyber Security incidents appears to be not in the same nature of notification like the German Law.
What is exceptional about the Chinese Law is the direct calls for IT Vendor Systems to be tested by a future Chinese Testing Organization. This testing methodology and requirements have yet to be determined. But from the language it clearly states that ALL systems must be tested to be sold in China.
Another unprecedented provision in the Chinese Law is the mandate for China computer system data to be stored in Mainland China. No vendor or company can store data about Chinese computer systems or Chinese citizens outside of China. Many internet service providers have already migrated data about Chinese customers to China in response to this law. The law makes no mention of a transition time or a mechanism to seek exemption from this Data Storage provision in the law. Most companies have assumed that the effect was immediate on the Law’s adoption by the Standing Committee. This nation state control of information flows, data flows that include private company information is very unique in Cyber Security doctrine. No other nation has implemented any kind of National Data storage limitation before. With modern internet IT systems being as complex as they are, one wonders if this Law can actually be fully implemented by all organizations. At the least the Chinese Cyber Security Law represents a huge power grab by a nation state in the area of Cyberspace. Also there is specific call out for scrutiny into Critical Infrastructure and Industrial Control systems in the China Cyber Law. Time will tell if the Chinese Law’s ideas spread to other countries wanting to secure and police their Cyber Infrastructure.
Cyber Law and the Future
Nation states are in the process of regulating their Cyber Infrastructure to a greater degree. No more can IT, Cyber or Cyber-physical systems be free of binding law at a National level. Whether its simple information sharing to mandated system testing. Nations are tightening the regulations regarding Cyber security and how it’s performed by both public and private entities. Time will tell if most countries follow the US, German or China model in their implementation of Cyber Security Law. But it is easy to see that times are changing in Cyber Security and more scrutiny into the security of IT Cyber and Industrial Control systems is guaranteed in the future.
Did you enjoy this article?? Leave a comment below!