CIRI researchers study impact of regulations on electric grid

Two prominent CIRI-funded researchers have brought the social sciences in dialogue with STEM through their analysis of cybersecurity regulations for critical infrastructure.  Rebecca Slayton, Cornell University Science & Technology Studies (STS) Professor, and Aaron Clark-Ginsberg, RAND Associate Social Scientist, recently published the paper “Regulating risks within complex sociotechnical systems: Evidence from critical infrastructure cybersecurity standards” in Oxford UP’s Science and Public Policy journal. 

The two authors conducted seventy interviews of regulators, auditors, engineers, consultants, and other stakeholders, as well as observational research, in their study on the efficacy of the mandatory U.S. Critical Infrastructure Protection (CIP) standards in securing the U.S. electrical grid.  Clark-Ginsberg describes the NERC CIP standards as “inherently fascinating,” as they are one of the few mandatory standards for the cybersecurity of U.S. critical infrastructure. 

Through the study, one of the first of its kind, researchers collected evidence on the impact of regulations on society by analyzing the whole spectrum of players who work to manage the electric grid. 

Says Clark-Ginsberg: “One of the top-level findings of our research is that the electric grid is a complex socio-technical system - a mixture of technologies, people, and regulations operating at local, regional and national scales … when a new regulation is injected into that system, unexpected changes can occur.” 

The researchers label such behavior - unexpected changes that arise, often in a non-linear manner - as “emergent.”  Such emergent behavior can have positive or negative effects.  For example, a positive unintended effect includes the birth of the new cybersecurity Operations Technology (OT) expert. 

As the literature in this field is still in a nascent state, the researchers see the need to conduct more research on strategies for using regulations to mitigate cyberthreat for critical infrastructure.  While this particular study focused on the electric grid, other types of infrastructure remain to be studied - including water, the defense industrial base, and transportation. 

“The regulatory landscape for cybersecurity is still in its infancy," notes Clark-Ginsberg. "It’s still experiencing a lot of growing pains in figuring out how to appropriately manage and mitigate cyber risk.” 

The duo designs their research with a dual audience in mind, with the intention of filling the gap between academic researchers and policy-makers.  While cybersecurity is often see as too complex and too quickly- moving to regulate, Slayton and Clark-Ginsberg believe that regulations can be used to mitigate cybersecurity risk and ought to be a salient component of the sociotechnical system that revolves around our nation’s critical infrastructure.