1. Imagine the impact on a 21st century company trying to operate without electricity or phones due to a
cyber attack or a data breach that not only causes utilities to go offline, but also puts utility customers'
personal information in the hands of hackers. Consider the havoc caused by hackers controlling the HVAC
systems of grocery stores or hospitals. These scenarios are the stuff of nightmares for corporate.
Though both the White House and Congress acknowledge the need to protect critical infrastructure from
cyber attack, federal cybersecurity legislation stalled in 2012. To reignite the process, President Obama
issued Executive Order 13636 on Feb. 12, 2013. The Executive Order tasked the National Institute of
Standards and Technology (NIST) with creating a framework to reduce cyber risks to critical
infrastructure (the Framework). Since protecting critical infrastructure is important to all US businesses —
and not just those which are part of the critical infrastructure — corporate counsel might consider
reviewing the current discussion draft of the Framework, which was published on Oct. 22, 2013. NIST
plans to release the official framework in February 2014, as called for in Executive Order 13636.
Recognition of the need for privacy and civil
liberties safeguards surfaced in the first Request
for Information responses to NIST, with one
commenter writing: "[P]rivacy safeguards are vital
to cybersecurity." New SmartGrid technologies,
such as smart meters, expand the amount of data
that can be monitored and collected. This
expansion creates novel privacy concerns not
directly addressed by existing regulations or
business policies of companies managing critical
infrastructure. For example, new types of
energy-use data could be used to develop detailed
time-stamped reports on energy-use activity in a
private residence, or even location information of
an electric car when the car is being charged.
In several working sessions, the most recent of which took place in September 2013, NIST brought
together stakeholders from a variety of industries, such as the financial, transportation, water, power and
telecom industries, to participate in the development of the Framework, which adopts a risk-based
(rather than a compliance-based) approach to cybersecurity.
The current draft of the Framework includes four major sections:
- A guide will educate senior executives and others on how to use the Framework to evaluate and
manage their organizations' cyber risk preparedness.
1.
- A user's guide will provide for more detailed implementation of the Framework and guidance for
measuring performance.
2.
- The core structure of the Framework will include five major cybersecurity functions: know, prevent,
detect, respond and recover (each with categories, subcategories and references to standards). In
addition, the Framework will include three implementation levels to gauge how well an organization
satisfies these cybersecurity functions.
3.
- It will include a compendium of references, such as existing cybersecurity standards, and industry
guidelines and practices. NIST states that each organization using the Framework will need to decide
4.

2. which of these references match their relative threats, vulnerabilities and risks, as well as the
resources available.
NIST's Smart Grid Cybersecurity Committee's Privacy Subgroup, which included members from industry
and academia, as well as privacy advocacy groups and IT security practitioners, was tasked with
identifying privacy concerns and making recommendations for mitigation. This Subgroup conducted the
first ever SmartGrid privacy impact assessment (PIA). According to Rebecca Herrold, CEO of the Privacy
Professor, a privacy/information security education consultancy and chair of NIST's Smart Grid
Cybersecurity Committee's Privacy Subgroup since June 2009, "utility company participants had to learn
to see privacy issues in a different way. Historically, utilities were concerned only with informational
privacy, the protection of billing information. It took a long time to convince utility companies that energy
usage data in the meter was private data as well."
High-level recommendations of the Privacy Subgroup for SmartGrid stakeholders include conducting
pre-installation processes with transparency, conducting PIAs after significant legal or organizational
changes, particularly after security incidents as an alternative to, or in addition to, an independent audit,
development of privacy policies for the Smart Grid based on the OECD Privacy Principles, and regular
training for workers who have access to personal information in the SmartGrid.
SmartGrid infrastructure has the potential to deliver electricity more efficiently and provide consumers
with choices on when and how much electricity they use. At the same time, opportunities remain for
developing processes and practices to identify and address SmartGrid cybersecurity and privacy risks. It
is not just the existence of more and new types of personal information arising out of SmartGrid
technology that concerns privacy advocates, but the ways in which data from connected homes can be
used and mined. "Big data will have a significant impact on SmartGrid privacy," says Herrold. "Analytics
today are mature enough to get information which can point to an individual."
Though there can be little debate that critical infrastructure needs to be secured, the Framework is not
without its detractors. The flexibility of the Framework in allowing organizations to pick and choose from
a variety of existing cybersecurity standards, guidelines and practices means there is a lack of
industry-specific uniformity in both cybersecurity controls and a certification path. Ralph Langner, a
Hamburg, Germany-based consultant on industrial control system security, has proposed an alternative
approach called Robust ICS Planning and Evaluation (RIPE), which focuses on security capabilities rather
than risk. Langner observes that a weakness of the Framework is that it lets organizations determine
what to adopt based on that organization's implementation level.
Unlike the Framework, European Union cybersecurity legislation is compliance-based. "One of the
intentions of the draft EU Cybersecurity is to create frameworks for cybersecurity covering much of the
same ground as the Framework that can be adopted by those falling within the Directive's scope," says
Stewart Room, a London-based partner in Field Fisher Waterhouse's Privacy and Information Law Group,
"but the philosophical basis behind the Directive and the Presidential Order are essentially different, in
the sense that the EU wants a compulsory framework underpinned by the legislation, whereas the [United
States] wants voluntary adoption of NIST encouraged by federal government."
"The EU body that will do much of the work covered by NIST is ENISA but where things get more
interesting is at EU member state level," says Room, "because the member states are creating national
frameworks that get much closer to NIST. For instance, the UK government is currently consulting on a
cyber assurance framework for the supply chain."
Another concern is that while the EU privacy directive has global reach, there is no coordination or
integration between the EU and US approaches. This may be problematic for US-based or -branched
companies with overseas subs, affiliates and/or parents (or even EU personnel residing in the US) that

3. must implement privacy safeguards applicable to both jurisdictions.
After the October 2013 discussion draft of the Framework was published, a comment period began, and
those comments are also available online. (The comment period closed in December 2013.) Though NIST
will continue to engage in stakeholder outreach and develop plans for updating the Framework after final
publication in February 2014, now is the time to familiarize yourself with what will likely be the basis of
any federal cybersecurity legislation, as well as to begin to consider critical infrastructure issues that may
impact your client's business in the future.
http://www.acc.com/accdocket/onlineexclusives/nist-framework.cfm