New WEF white paper responds to US request on harmonizing cybersecurity regulations

Following the July move by the U.S. Office of the National Cyber Director (ONCD) calling for information for harmonizing cybersecurity standards and regulations across jurisdictions, the World Economic Forum (WEF) published Wednesday a white paper that lays out the response of the WEF Systems of Cyber Resilience: Electricity (SCRE) community. It focuses on addressing conflicts in cybersecurity requirements, identifying priority sectors and regions, evaluating international dialogues, reviewing ongoing global initiatives, and exploring regulatory reciprocity.

Last September, the WEF SCRE community “had identified global regulatory interoperability as one of its key focus areas, and had set up the Global Regulations Working Group to facilitate interoperability of global cyber regulations in the electricity sector,” the agency identified in its latest document. “This working group tackles the challenges of complex, industry, and sector-agnostic, fragmented, inconsistent, and sometimes conflicting regulations. These siloed regulations lack and prevent interoperability, resulting in increased costs and inefficiencies as limited resources are diverted to address compliance challenges instead of directly addressing sectorial and organizational cybersecurity posture.”

The white paper added that the working group is working towards creating common community positions among its members to help regulators and government agencies that function as regulators better understand the needs of the sector.

Back in July, the U.S. administration announced a Request for Information (RFI) concerning the harmonization of cybersecurity regulations and regulatory reciprocity. It has invited stakeholders’ input to comprehend the prevailing issues related to regulatory overlap and inconsistency. The RFI also aims to investigate a framework for mutual recognition by regulators regarding compliance with fundamental cybersecurity requirements. This initiative is a continuation of the administration’s commitment, as outlined in the National Cybersecurity Strategy, to streamline not just regulations and rules but also assessments and audits of the regulated entities.

The SCRE community welcomes and supports ONCD’s regulatory harmonization effort. Its recommendations for the ONCD include continuing ONCD’s ongoing efforts to increase global regulatory interoperability, increase security, and reduce costs; prioritizing security over compliance by adopting a risk-based approach; and engaging private, public, and civil society stakeholders from the earliest stages of the policy and regulatory processes. It also utilizes existing international technical standards established by non-government bodies, such as the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), and participates in international dialogues and international initiatives on cybersecurity.

The WEF disclosed that regulatory interoperability is one of the key focus areas of the SCRE and its Global Regulations Working Group. The working group addresses the complexities of regulatory challenges that span across the electricity sector, characterized by fragmentation, inconsistency, and occasional conflicts. These regulatory hurdles hinder the achievement of global interoperability, leading to heightened costs, inefficiencies, and missed opportunities as resources are redirected to tackle regulatory issues rather than enhancing sector-specific and organizational cybersecurity postures. 

The key insights of the working group have been the evolution of the cyber threat landscape has led to an increase in cybersecurity regulations globally; global regulations are fragmented and, in some cases, conflicting, which increases costs and inefficiencies and impacts cybersecurity through the opportunity costs of diverting limited resources; organizations have had to take hard, risk-based approaches ranging from managing regulatory complexities to exiting certain markets; and regulations need to prioritize security over compliance by adopting a risk-based approach.

The working group has established its stance on the critical international regulatory topics identified. These include compliance and enforcement with a global commitment to prioritize security over compliance; and data protection and privacy with a global commitment to support data protection and privacy regulations such as the General Data Protection Regulation (GDPR) of the European Union (EU). 

It also covered information sharing with a global commitment to create and use a common information-sharing protocol and taxonomy worldwide, to support the respective electricity information sharing and analysis centers (ISACs), and incident response and reporting with a global commitment to adopt a common and efficient international incident reporting taxonomy and requirements.

The WEF white paper also covered cybersecurity hygiene internal policies and procedures: Global commitment to establish basic cyber hygiene principles specific to the electricity sector. It also includes penetration testing with a global commitment to regular internal penetration testing which includes operational technology (OT) penetration testing, and vulnerability disclosure and management with a global commitment to sectorial disclosure of vulnerability among closed groups of sector-specific, pre-authorized entities.

The working group also included risk assessment and management with a global commitment to applying risk assessment methodology consistently across both IT and OT environments. It also covered third-party risk management with a global commitment that every organization in the supply chain must consider and be responsible for the cybersecurity of its scope of work; and adopt existing international standards versus the creation of unique, national (or regional) standards that are mature such as ISO 27001 and IEC 62443.

Given the SCRE’s global perspective and proficiency in the field, the community has shared its collective knowledge in the WEF white paper, with the intent to provide precise responses to inquiries in the international section of the RFI. The request advances one of the 69 initiatives that the U.S. National Cybersecurity Strategy Implementation Plan announced in July. 

It calls for the identification of specific instances in which US federal cybersecurity requirements conflict with foreign government cybersecurity requirements, and whether there are specific countries or sectors that should be prioritized in considering harmonizing cybersecurity requirements internationally. It also looks into which international dialogues are engaged in work on harmonizing or aligning cybersecurity requirements, and which would be the most promising venues to pursue such alignment. 

It also calls for the identification of any ongoing initiatives by international standards organizations, trade groups, or non-governmental organizations that are engaged in international cybersecurity standardization activities relevant to regulatory purposes. The white paper calls for a description of the nature of those activities and examples of regulatory reciprocity within a foreign country. It also looks to identify any examples of regulatory reciprocity between foreign countries or between a foreign country and the U.S.

In its conclusion, the WEF white paper said that multiple concurrent trends are amplifying the risk landscape, including the proliferation of digitized and interconnected devices within energy infrastructure, a surge in attacks targeting this infrastructure, a transformation in the sector due to the energy transition, which challenges established regulatory assumptions, and the emergence of powerful capabilities in both defense and offense through technologies such as artificial intelligence.

“Across the globe, regulators, including those in the United States, often employ diverse approaches to address similar cybersecurity challenges due to the absence of a universal consensus on cybersecurity standards,” the WEF white paper disclosed. “Consequently, this leads to complex and generalized regulations across various industries and sectors, resulting in fragmented, inconsistent, and sometimes conflicting regulations. This impedes interoperability.” 

Further, “as the cybersecurity threat landscape evolves, regulatory bodies respond by introducing additional regulations, exacerbating the issue by increasing costs, introducing inefficiencies, and impacting the cybersecurity posture of both sectors and organizations. The diversion of limited resources away from addressing cybersecurity challenges also carries opportunity costs.”

Last month, the U.S. National Institute of Standards and Technology (NIST) published the third revision of NIST SP 800-82, with updates focusing on the expansion in scope from industrial control systems (ICS) to OT; updates to OT threats and vulnerabilities; and updates to OT risk management, recommended practices, and architectures. The NIST SP 800-82r3 document provides OT asset owners and operators with updates to current activities in OT security; and updates to security capabilities and tools for OT.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.