This post was also written by Timothy J. Nagle.

One of the most significant takeaways from Reed Smith’s June 25, 2013 teleseminar, “Cybersecurity in Critical Infrastructure Industries,” is the availability of industry and governmental resources to assist oil and gas companies, electric utilities, and municipal water systems in assessing cybersecurity threats and finding ways to deal with them.

Presenters Bill Slattery from the FBI and Matthew Light of NERC described the threats common to critical infrastructure industries, and noted that these types of threats pose significant risks to both industrial control systems and internal corporate networks. The speakers spent a fair amount of time outlining the industry and government resources available:

  • Information Sharing and Analysis Centers, which are comprised of industry representatives operating under the auspices of the Department of Homeland Security, that are available to companies in all sectors for the exchange of information about threats, vulnerabilities and security best practices. The ISACs may be particularly useful for smaller companies that are in the process of developing cybersecurity practices and policies.
  • The private sector has participated actively in the NIST Cybersecurity Framework process, which was initiated pursuant to the critical infrastructure executive order that was issued earlier this year. The draft outline encourages private sector input and existing standards, guidelines and practices. It is primarily directed to owners and operators of critical infrastructure entities, but there are opportunities for “organizations facing cybersecurity challenges” to become involved in or otherwise benefit from the NIST process.
  • The FBI has agents assigned to cybersecurity issues in nearly each office. Infrastructure industry participants, as well as industrial companies with cybersecurity concerns, were encouraged to contact their local FBI office, simply to have a communication protocol in place for when (not if, according to both speakers) a cybersecurity attack occurs.

A second important point made by both speakers is that cybersecurity is not just a technology issue. Continually updated cybersecurity policies, employee training and awareness, and effective management programs are of critical importance and all can be accomplished at relatively low cost. Industry associations can provide documents or guidance for the implementation of such policies and training that are common in all industries. Legal counsel can provide a risk-based perspective during the drafting and review of policies and standards relating to physical and information security, business continuity, technology and privacy.

We will continue to watch developments in this area and provide advisories on the Data Security, Privacy & Management blog.