Do I have to comply with the new National Security memorandum on industrial security?
By Patrick Miller
Is the new National Security Memorandum on industrial security mandatory? Watch this interview with Ampere Industrial Security's Patrick Miller for answers that will help guide your next steps.
Keysight Sr. Industrial Solutions Manager Gail Ow interviews Ampere CEO Patrick Miller about the memorandum. Interview edited for length and clarity.
GAIL:
I guess the question with this memorandum that comes to my mind is, do I have to do this?
PATRICK:
I think that question is on everyone's mind. The short answer is 'no,' the longer answer is 'not yet.' You will eventually need to do this in one way, shape or form. So, for now, since it is a voluntary collaborative initiative, which is what it says in the memo, it is an ask by the president: will you do these things? Will you voluntarily measure yourself against these goals for these areas?
Some industries are further along than others. For them, it's not that big of an ask. For some others, it might be more of an ask. But the short answer is 'no.' You don't have to do this because it's not a regulation. It's not even an executive order. It's just a memo.
GAIL:
What are the pros and cons of not doing this? Maybe I decide to just wait and see.
PATRICK:
Well, there's definitely some pros and there's definitely some cons. Security is the right thing to do anyway. You are a critical infrastructure in this nation. And you should probably take that seriously and treat your systems accordingly.
That said, there really isn't a uniform way to measure all of this. That's kind of what they're asking, is to take what you've been doing and map it to this new uniform measuring approach.
If you don't do it, you're just going to end up having to do it later at some point, because this is where we're all moving. We've all been talking about this. All the infrastructures know that eventually they're going to get something kind of like NERC CIP, because the electric sector already has one.
TSA has something in the gas pipeline space that's close. Chemical has something like that, water has something like that.
They know that even though some of them are voluntary guidelines or close to that kind of thing --- all the way up to serious penalties for example in NERC CIP --- if they don't respond, they're going to end up with regulation.
This was very clear, for example, even the memorandum itself says they'll look at other measures if the voluntary approach doesn't work. In the the press briefing the night before, the notes from that, it was very clear that this is a voluntary effort for now. And if there isn't response, it will turn into regulation at some point.
GAIL:
All right. So this sounds like something I definitely have to do. But I've got a day job, right. So what's the harm in waiting and seeing what other folks do?
PATRICK:
Some likely will do that. Maybe they're busy, or they have other risks on their mind, or they just don't want to do this until they're told to.
Security, just for the sake of business, makes sense in a lot of ways. You should be doing this just because you're critical infrastructure.
When you wait like this, you get what's left, because everybody else that takes this seriously early on, gets things at a better price. They get a better pick from the consultants. You're not dealing with the leftovers, you get better choices in a lot of the technology components, often better pricing. You're not looking at waiting until the last minute and getting what you can get for the price at that time.
That constrained market of waiting isn't going to do you any good. You're going to end up with something worse than had you started. There's an old developer saying I like to use which is, "A dime in development is $1.10 in production. So the earlier you start this, the cheaper it is in the long run.
Not to mention that you've got things in the industrial control system space, which is what this is geared at. You may need to take things out of service, or you may need to extend an outage so you can get some of this technology put in place.
The earlier you start the planning, the better. You really don't want to try to do this at the last minute because it's impending regulation with serious penalties. Start working on it as early as you can.
The next piece is the M&A, mergers and acquisitions. This is standard business relations anymore. Businesses that want to do business with other businesses are asking you these questions, whether it's mergers and acquisitions, or just standard corporate relationships.I've even seen in just regular contracts a very heavy amount of security language.
This is now just kind of par for the course when you're doing business. And that's only going to get more and more common as you get into more business agreements. Either you're being acquired or you do acquire and you go through some mergers and acquisitions on your side.
The last one is is insurance. Cyber insurance is getting very savvy. You can't get fire insurance if you don't have a smoke detector, if you don't have fire extinguishers, if you don't have sprinkler systems. It's along the same way. To get cyber insurance or to process a claim, you're going to get asked all these questions about what you're doing. And they're smart. They're not asking general questions. They're down to the file level, protocol level, process level. They know. When they ask you these questions, how you respond is going to tell them what your security position is.
Whether it's supply and demand causing unconstrained markets, whether it's just because it's par for the course because that's how you're doing business nowadays and to do business, it's what's expected. In addition, you're going to end up with poor insurance, or no insurance, or inability to process a claim as a result.
Those are three good reasons --- just because it's part of business that you should be doing them --- in addition to the fact that if you don't, you're going to get regulated and be told to at some point.
GAIL:
That was a lot of really good information about why people should do this. But what would happen if somebody actually gets attacked? What would the fire extinguisher look like?
PATRICK:
Especially if you did nothing. If you're trying, that's going to show. But if you just ignored this and you're not doing anything, it's going to be a bad PR hit, frankly.
There have been cases where some organizations didn't work well with the federal government when they were attacked. There have been some that have actively denied that anything's going wrong, when it's very obvious that they've just been hacked to pieces. Those have all ended up with very bad PR situations and stock drops, and it hit their bottom line pretty hard.
The more you that the more you apply this, the more you align with it, the better the company is going to look in the event that you do actually suffer an attack at the same time.
Your progress on this is not just being measured by the federal space, it's also being measured by your customers and your business partners and the world, frankly.
GAIL:
That sounds like, despite the fact that it's voluntary and not an executive order, people should do this. In your experience and dealing with your clients, do you think companies really will?
PATRICK:
I think they will. I think they've seen that this is a long time coming. I think they've seen the writing on the wall.
There have been lots of discussions about this in the past. And it's finally coming to a place where there's enough going on. And they've at least picked out the industries where it's going to start.
This has got a lot of inertia behind it. It's not just one day, the president woke up and said, "Hey, I want to issue a memo on this. This should this should be a cool thing to do." No, there have been a lot of different approaches that have been tried and failed.
And other tactics have been proposed. There's been lots of this same thing done in different ways. But this is the first time it's actually come together like this, at this point, with these things behind it.
I think they they knew it was coming. So I think they'll do it. And the ones that don't? It's just going to be more difficult for them in the long run. Frankly, they could end up making their their particular industry more challenging to deal with, which just makes the regulation worse.
GAIL:
Fun times ahead.
PATRICK:
Yes.
GAIL:
Thank you so much, Patrick, for joining us today. I learn so much every time I talk to you.
Gail Ow’s Keysight Technologies companion blog for this video
Industry Brief on the National Security Memorandum from Ampere’s Patrick Miller
