Cyber Security Regulatory Landscape

Samir Pawaskar

Disclaimer

• All views / opinions presented by me during this presentation aresolely mine’s and do not represent the views / opinions of myorganization in any way.

• Information used in this presentation is “Public” in nature.

Agenda

• Brief History

• Landscape in Qatar and GCC

• Regulations: Win Some / Lose Some

• Success factors?

• Objectives / Success achieved?

• Way Forward

Brief History of Regulations

Regulations for businesses have existed sincetime immemorial.

Primarily enacted to help the people (citizens/ residents)

Some of the key reasons being to:

Protect human lives and environment.

Create opportunities for human by regulatingthe market.

Promote fair and ethical business practicesand professional conduct.

Create social equalities.

Need for Cyber Security Regulations

• Today, the right command sent over a network to a power generating station’s control computer could be just as devastating as a backpack full of explosives, and the perpetrator would be more difficult to identify and apprehend.

– USA President’s Commission on Critical Infrastructure Protection, 1997

Landscape in Qatar

Landscape in GCC

• ADSIC – AbuDhabi, UAE

• DSR – Dubai, UAE

• National Electronic Security Authority (NESA) - UAE

• National Crisis And Emergency Management Authority (NCEMA) – UAE

• Cyber Crimes Law have been issued across most of the countries in GCC

• eCommerce Law has been issued in Saudi Arabia

• Saudi Arabia also has provisions on Data protection in certain sectorspecific laws.

Regulations: Win Some / Lose Some

• Standards help prioritize focus on critical systems

• Standards help identify the right stakeholders and drivecommunication within them.

• Standards help define and establish processes within organizations.

• Regulation helps drive compliance.

• However, more often then not it leads to a checklist approach missingthe security focus

• Standards are found lacking catching up with changing threats.

Is this what we aimed for?

Conclusions

• The good:• Regulations provide a ‘push’ for cybersecurity• Standards drives process improvements, communications, and an increased cyber

security maturity.• Standards have been improving over time trying to keep up with threats.

• The bad:• Regulations risk evolving into a checklist mindset with a false sense of security.• Standards change slowly and are largely reactive in nature.• Too many standards risk duplication of efforts, dilution of authority and confusing

amongst stakeholders

• The ugly:• Regulations seem to be a prime force in the region driving cyber security.• Lead times between regulations (standards) adapting to threats can be substantial.• Jurisdictional issues and contingencies will always be present

Thoughts to ponder

1. Are regulations an effective means to build cyber-resilience withinOT environment? Are they necessary for OT security, or are therealternatives?

2. How we can support capacity / capability building and informationsharing within and between industrial control system intensiveindustries?

3. What tools, guidelines, or processes might be developed to helpimprove compliance effectiveness? How do we move from achecklist approach to security focused?

Thank You

Thank You for being a lovely audience.

I can be reached at pawaskars@gmail.com

*Project website: http://cisac.fsi.stanford.edu/docs/regulation-and-power-grid-resilience*CIRI website: http://ciri.illinois.edu/