Had the great pleasure of participating in CERA's 31st annual energy conference last week in Houston. I was only there for one day, Wednesday, as I participated in a security panel that evening.
Earlier, the lunch keynote presentation was delivered by Royal Dutch Shell CEO Peter Voser, who addressed environmental and community concerns about the new natural gas recovery technique called fracking.
He suggested that the best approach was for the the industry to be as up-front and transparent as possible, and cited his own company's self-policing policy called the "Tight sands/shale oil & gas operating principles", posted on Shell's website for all to see.
Essentially, Voser asserted that Shell's safety, environmental protection, and community partnering policies around fracking were not just a sound strategy for getting "out in front" of a potential PR problem, they were simply good business.
It struck me that perhaps here was a model here for electric utility self policing re: cybersecurity and privacy. Maybe if more companies in our sector would get out in front of cybersecurity fears and concerns with clearly broadcast policy and messaging, Congress and other oversight orgs (NERC, for example) would feel less compulsion to legislate additional layers of compliance requirements.
As my colleague Matt F pointed out, it may be too late to stop the 2012 Cybersecurity Act from becoming law. Utilities would have had to start their self-policing campaigns much earlier to stay Congress' hand. And with the recent mock attack on NYC, demonstrating, among other things, that current regulations like NERC CIP version 3 don't cover distribution networks, it looks like a fait accompli.
All full of speculation and wishful thinking here, but I definitely have a sense that this could have played out differently. And who knows, maybe the utility security self-policing idea, if it caught on and went wide, could begin to obviate and undo the need for the legislation, and lead to its eventual repeal.
