Although this article isn't based on fact, it is (nonetheless) "observational" in nature.
Our society is becoming increasingly plagued by the complexities of security and regulation, with an increased amount of regulatory requirements specifically for critical infrastructures.
Having worked for several infrastructure sectored organizations, I am quickly growing weary of the fact that individuals claiming to be "cybersecurity" or "critical infrastructure" subject-matter experts (or "SMEs"), are indicating that adherence to a regulatory requirement or compliance governance means that something is "secured".
Let's get one thing straight: if you were asked to perform the *minimal* amount of work on something, and the amount of work was below what you felt was "safe" or "secure", would you stop at what was required of you -- or go "above and beyond the requirement(s)" and do more than what was asked of you?
Security doesn't stop with "minimalism"; it is an "ongoing process", something that many regulatory bodies (both public and private) are quickly finding out.
Case in point is the Energy Sector. There are several cybersecurity-related regulations that apply to this sector -- for nuclear, it's NRC REGGUIDE (RG) 5.71 -- for non-nuclear, it's NERC CIP. Not going into the specifics about these requirements (note the word: "requirement"; this isn't an "optional requirement", but a "required requirement") are used for the Energy Sector to ensure that process operations for any given organizational entity is "safe" and "secured" against a potential cyber threat or an actual attack.
Now... think about that last sentence for a moment, and I will come back to that later within this article.
Technology is constantly changing, right? In many cases/circumstances, technology continues to outpace business operations, with new technology now emerging every 3-6 months (and even then, is considered out-of-date, because there are -- at least -- 2 more revisions behind the [so-called] "latest 'n greatest" technology).
With increasingly changing technology (can apply to IT, and in this case, can now also apply to SCADA and control systems environments because of their increasingly used web services for administrative control of those environments), how easy is it to align the regulatory requirements against constantly changing technology? Regulations change veeeeeerrrrrryyyyy slloooooooooowly -- an example is NERC CIP v3 versus NERC CIP v4 versus NERC CIP v5.
To make such a change would require consentment by committee -- something that takes quite some time -- as people (and companies) have differing opinions and positional stances, as to what constitutes their overall position on a given subject or topic.
In many circumstances, to make JUST ONE CHANGE, may take years before being approved, and even then, it's not over -- not before others comment and ask for either further change, or backgrade to the prior revision, either because of technical disagreement, or in most circumstances, because of political positioning, as (perhaps) their representative company, is performing a task or operation that is contrary to the regulatory requirement(s).
Now... take that against how fast and rapidly technology is changing. Do you see a problem here?
Additionally, the amount of work being asked to perform JUST ONE OPERATIONAL CHANGE, is increasing with every revision of each regulatory requirement. In a nutshell, regulations aren't making life simpler -- rather, they're making life more difficult, more complex, and (certainly) more challenging.
If you work within the Energy Sector, nuclear or non-nuclear, how long does it take to perform a change request to fix a vulnerability of a SCADA or control systems' PLC? Some might argue that those PLCs are not subject to change management, as they may be protected behind a deterministic device, or that they may be (and I hate this word) "air-gapped" from the outside.
Or even yet, to make such a change within the process operations, might require an engineering design review change (understandable), further complicating the necessitation for actually "fixing" the problem.
Folks, the hackers are winning....not because they've found vulnerabilities and "chinks in our armor", but because our own bureaucracies caused by adherence to regulatory requirements or compliance governances, is causing further and further grief, longer times to schedule and perform maintenance outages, and (when appropriate) actually *fix* problematic bugs found to be caused by vulnerabilities that hackers or private researchers have found months ago.
In the not-too-distant future, I would imagine the following scenario (although simplified, I strongly feel that this scenario is very possible, given the current direction that we as a society, are heading):
To place paint on the pavement of the road, in the future, will require the submission of a 400-600 page "requirements document", outlining the specifics to:
(1) type and viscosity of the paint used;
(2) adherence to a specific color for that region of the country or state (for instance, Colorado might utilize "Yellow 3546" for state-operated roads, and "Yellow 3412" for county-operated roads);
(3) adherence to specific dimensions of each line (width, length and thikcness of the paint, depending on the type of line created);
(4) adherence to how far the painted lines are from the outer edges of the roadway;
(5) adherence to how far the double versus mixed lines are spaced between each other within the middle of the road;
(6) timing and distance between yellow versus white painted lines;
(7) time-of-day, time-of-week when the painted lines may be painted, and where the reflectors are placed (and that would require completion of FORM 34B-135 in accordance with the remeasurement of the lines painted along with the submission of the initial 400-600 requirements document);
(8) time-of-day, time-of-week when older painted lines are removed to make way for newer painted lines, unless the painted lines adher to previous statutes indicating that removal isn't necessary, unless a given requirement is specified, then and only then, will newer painted lines be utilized; otherwise, no painted lines will be created as indicated by Section 3.6.14, Paragraph 367, Sub-Paragraph 14, outlining the specifics for when and where the painted lines will be utilized, or unless as authorized by Section 4.1.29, Paragraph 102 through 105, Sub-Paragraph 3 and 5, indicating that the paint will only be utilized during constant temperate times of the season, as indicated through...
OK... so the last item was "made up". Do you see where all of this is going?
Last and foremost, being in adherence to regulatory requirements or compliance governance guidelines DOES NOT mean that something is considered "secured". Simply put, it means that you have *met* an external oversight entity's requirements or guidelines that must be adhered to; otherwise, face a fine or some form or penalization.
To me, this DOES NOT represent something that is "secured"; it only means that an organization is willing to penalize or fine a regulated entity when they become *out-of-compliance* to said requirements (see above example #8 for how the requirements are becoming increasingly more "legalistic" in nature).
Our society is heading towards something that may be a hybridization between "THX 1138", "Brazil" and "Idiocracy"; both people and organizations are (quickly) heading towards this scenario example, but specific to their infrastructure sector, to maintain the "status quo".