2. Disclaimer
• All views / opinions presented by me during this presentation are
solely mine’s and do not represent the views / opinions of my
organization in any way.
• Information used in this presentation is “Public” in nature.
3. Agenda
• Brief History
• Landscape in Qatar and GCC
• Regulations: Win Some / Lose Some
• Success factors?
• Objectives / Success achieved?
• Way Forward
4. Brief History of Regulations
Regulations for businesses have existed since
time immemorial.
Primarily enacted to help the people (citizens
/ residents)
Some of the key reasons being to:
Protect human lives and environment.
Create opportunities for human by regulating
the market.
Promote fair and ethical business practices
and professional conduct.
Create social equalities.
5. Need for Cyber Security Regulations
• Today, the right command sent over a network to a power generating station’s
control computer could be just as devastating as a backpack full of explosives,
and the perpetrator would be more difficult to identify and apprehend.
– USA President’s Commission on Critical Infrastructure Protection, 1997
7. Landscape in GCC
• ADSIC – AbuDhabi, UAE
• DSR – Dubai, UAE
• National Electronic Security Authority (NESA) - UAE
• National Crisis And Emergency Management Authority (NCEMA) – UAE
• Cyber Crimes Law have been issued across most of the countries in GCC
• eCommerce Law has been issued in Saudi Arabia
• Saudi Arabia also has provisions on Data protection in certain sector
specific laws.
8. Regulations: Win Some / Lose Some
• Standards help prioritize focus on critical systems
• Standards help identify the right stakeholders and drive
communication within them.
• Standards help define and establish processes within organizations.
• Regulation helps drive compliance.
• However, more often then not it leads to a checklist approach missing
the security focus
• Standards are found lacking catching up with changing threats.
10. Conclusions
• The good:
• Regulations provide a ‘push’ for cybersecurity
• Standards drives process improvements, communications, and an increased cyber
security maturity.
• Standards have been improving over time trying to keep up with threats.
• The bad:
• Regulations risk evolving into a checklist mindset with a false sense of security.
• Standards change slowly and are largely reactive in nature.
• Too many standards risk duplication of efforts, dilution of authority and confusing
amongst stakeholders
• The ugly:
• Regulations seem to be a prime force in the region driving cyber security.
• Lead times between regulations (standards) adapting to threats can be substantial.
• Jurisdictional issues and contingencies will always be present
11. Thoughts to ponder
1. Are regulations an effective means to build cyber-resilience within
OT environment? Are they necessary for OT security, or are there
alternatives?
2. How we can support capacity / capability building and information
sharing within and between industrial control system intensive
industries?
3. What tools, guidelines, or processes might be developed to help
improve compliance effectiveness? How do we move from a
checklist approach to security focused?
12. Thank You
Thank You for being a lovely audience.
I can be reached at pawaskars@gmail.com
*Project website: http://cisac.fsi.stanford.edu/docs/regulation-and-power-grid-resilience
*CIRI website: http://ciri.illinois.edu/