Regulating Complex Critical Infrastructure Risks: Evidence From the Electric Grid Cybersecurity Standards
1 pm March 4, 2019
Complex industries such as petroleum production, civil aviation, and nuclear power produce ‘public risks’ that are widely distributed and temporally remote, and thus tend to be ignored by the risk producers. Regulation is perhaps the most common policy tool for governing such risks, yet using regulations to reduce risks in these complex industries is often controversial, with some arguing that regulations are ineffective, while others argue that they are essential even if imperfect. This presentation summarizes a CIRI-funded study of one set of regulations, the North American Electric Reliability Corporation’s Critical Infrastructure Protection standards, and its effect on the cybersecurity risks faced by one of the most complex systems in the world, the US electric grid. Our assessment shows that the regulations reduced many but not all cybersecurity risks, and at times may have worsened them. We will present a few recommendations from lessons learned in our research that can help regulators reduce cybersecurity risks while avoiding the potential negative consequences. We argue that while regulations are imperfect they may offer a vehicle for improving the way risks are managed in complex industries, including cybersecurity critical infrastructure risks.
Dr. Aaron Clark-Ginsberg is a Social Scientist at the RAND Corporation. A disaster researcher by training, Dr. Clark-Ginsberg has topical expertise in natural hazards, cybersecurity, infrastructure, regulation and governance, and community resilience. At RAND he is involved in several disaster related research projects, including for DHS, CDC, and Air Force. He was previously a DHS Postdoctoral Scholar at Stanford University, where he worked with Dr. Rebecca Slayton (Cornell) on a CIRI-funded project examining how regulations could be used to mitigate critical infrastructure cybersecurity risks. Dr. Clark-Ginsberg completed his graduate studies at University College Dublin in Humanitarian Action, where he examined how international and national agencies work together to reduce disaster risks in developing countries. His research was in partnership with the international NGO Concern Worldwide and took him to ten countries in Africa, Asia, and the Caribbean to review the organization’s disaster risk reduction and resilience building activities.