Security Checklists, Compliance Cultures, and Finding a Better Way

Fixating on responding to a compliance regime is in a sense, like agreeing to not learn. You know how when you're in the passenger seat and even if you go to the same destination a hundred times, if you weren't driving you don't remember how to get there cause you never learned in the first place? Fortunately, the GPS came long just in time to save your butt.

Before I go any further, please note this is not intended as invective against the NERC CIPs. I know why they were made and why we still have to have them. Most of us wish it were otherwise, but if and until the majority of utilities are observed performing the activities the CIPs require (and more) on their own initiative, this is the way it's going to be.

Have to tip the figurative hat again to Ernie H, who once again can be counted on for spotting and forwarding the good stuff. THIS recent Dark Reading article lays bare the downside of a checkbox compliance mindset. In it, I like this analogy from security researcher Lamar Bailey:

[Security] standards are like training missions in video games: They can help you acclimate, but they in no way represent the real game. If you can't pass them with two hands tied behind your back, your need to quit and find another game.

I could see how that might make some folks say Ouch!  Anyway, it prompted me do a search to see if
utilities were embracing or resisting some of the downsides of this mindset. Well, didn't take long before I happened upon this. Imagine you pay the salaries of dozens of folks, as many utilities do, engaged in activities described by one CIP compliance manual this way.

It begins, "Evidence is more than just documentation" and continues:

Demonstrating compliance usually means “corroborating” evidence. In other words, compliance programs should be designed to produce an output of several auditable records for each requirement to demonstrate performance. A documented process is the first part of demonstrating compliance. Additional examples include a log file, a change request form, a visitor log, or an incident response drill attendance sheet. For each requirement, a documented process and at least one other additional record should be available to demonstrate compliance.

There have got to be better ways to run and secure a utility, no? And of course, reading to this point is worth it if it means you get to a gem of an article I posted a link to almost exactly one year ago. Once again, HERE's Stephen Flanagan of FERC, giving a keynote on what he terms compliance cultures vs. cultures of commitment, who even as an auditor, keeps this in mind: "Security, not violations, is the primary focus." Like that.