Balancing Cybersecurity And Regulatory Compliance
Rigorous regulations like GDPR and California’s Consumer Privacy Act will only become more prevalent, as long as our current cybersecurity landscape continues to suffer the near-crippling data breach affliction. Attackers seem to be one step ahead of defenders, constantly changing their attack vectors as new technologies become available, such as artificial intelligence and automated bots. But is coming up with new laws protecting or hindering our progress?
Regulatory compliance over cybersecurity
As witnessed overseas, many companies are struggling to stay compliant with standards like GDPR, and are more focused on meeting the minimum requirement rather than proper security policies, which hackers can easily find weaknesses in. The result of regulatory requirements is that they become outdated fairly quickly in the cyber world. What’s worse, regulation outlines that are made publicly available essentially provide hackers a roadmap to breaking through defenses. By the time governing bodies overseeing these standards implement measures to fix these vulnerabilities, it’ already too late. Businesses are exhausting time, manpower and capital on regulatory compliance that is inherently vulnerable, rather than fool-proof defenses that will protect all stakeholders.
Cyber threats in highly-regulated environments
Highly-regulated industries like energy and utilities face many security and compliance challenges, from protecting consumers’ payment card data, to complying with internal audit and disclosure requirements under Sarbanes-Oxley. Service providers—many of which have small budgets for cybersecurity—under the authoritative eye of the Federal Energy Regulatory Commission (FERC) must also adhere to the cybersecurity standards set by its certified Electric Reliability Operator (ERO), the North American Electric Reliability Corporation (NERC). These standards call for continuous monitoring of any and all digital access to critical infrastructure, along with detailed reporting that can be produced any time of day—which requires hours of manual input.
In this struggle to comply with multiple regulations at once, hundreds of U.S. utility companies failed to prevent a Russian-backed campaign in which hackers were able to access control rooms, with many victims still unaware that they were attacked. Despite several warnings, the DHS claims that hackers sent spear-phishing emails to trick vendors and suppliers into giving up their passwords, compromising their network security. From there, the hackers were easily able to steal confidential details, including the type of equipment in use and how it’s controlled, how the utility networks are configured and how the facilities work, so they can carry out larger-scale attacks down the road posing as trusted employees. Armed with this information, it is a real possibility that they will be able to access our power grids and throw switches, causing blackouts in localized areas. Though that does not sound as harmful as a nationwide power outage, the effects could still be damaging to hospitals, banks and more. It is also expected that these hackers will automate their attacks, if they have not already, in order to scale.
Addressing the issue at scale
In an environment like the utilities space, how can we address the problem from a regulatory compliance—and overall cybersecurity—perspective? With multiple regulations to stay in line with, it’s a difficult task for energy providers to keep up, especially those with limited funds to allocate to better cyber protection. To add to the issue, when hackers do automate their attacks on the grid, it will be near-impossible for businesses to combat manually.
Until utility commissions can implement proper cybersecurity standards, providers must work to implement security measures themselves, to protect their systems and their assets. To do so, businesses must look into methods that will be able to decipher true users from cybercriminals while also solving the manpower and cost issues. What many may not be aware of is that the technologies equipped to do so already exist.
Artificial intelligence (AI) can be trained to understand and digest large amounts of information, like multiple regulatory mandates, much faster than human counterparts. Firms and regulators can easily use this technology to also help them understand the massive volumes of data, including changes, updates and client documents using systems like intelligent tagging, grouping and de-duplication. This also frees up time for utility company employees, as those staff members can focus on other areas of the business that need attention. Solutions specifically geared for the stringent cybersecurity requirements in the energy and utilities industry, like that from WizNucleus, exist that deliver continuous monitoring, cybersecurity assessment, configuration management and policy automation and compliance.
Combined with technologies like blockchain, AI can quickly share that data across traditional silos through blockchain’s decentralized structure. Siloing of information in different systems and reliance on legacy IT systems can be problematic for businesses and regulators alike, as they will often be forced to use manual processes or even paper forms to manage data. But with blockchain, all actions are documented in one shared, secure, permanent location (on its distributed ledger), which would alleviate the pressure for regulators and firms to keep their own sets of records, as well as save money, and improve the speed and accuracy of the regulatory review process.
AI-powered behavioral analytics is another solution to address this problem. AI and machine learning algorithms can be used to build behavioral models for every employee, based on their mannerisms, from the way walk, talk, tap, type and swipe, down to the hand they prefer to hold their device in. These models continuously adapt to the user’s behavior, comparing against any deviation in “normal” activity and immediately flagging possible threats. AI can also work at high rates that it can also detect any changes in operation and automated attacks in real-time, before they become an issue.
Until better standards are set in place, businesses from all spaces—whether in the energy sector or another industry—must take the reins and harness the latest technology to ensure both regulatory and security compliance, at scale. If not, we can only expect to see more cybersecurity threats and attacks on our critical infrastructure.
Author: Deepak Dutt