Title :
Regulating Cybersecurity: Institutional Learning or a Lesson in Futility?
Author_Institution :
Kennedy Sch., Harvard Univ., Boston, MA, USA
Abstract :
On 22 November 2013, the Federal Energy Regulatory Commission approved the latest version of mandatory cybersecurity regulations for the bulk electric system--known as Critical Infrastructure Protection (CIP) Reliability Standards. The CIP standards are relatively unique: they are developed through an unusual model of industry-led regulation that places industry, and not federal regulators, at the center of regulatory design and enforcement. The CIP regulations have received a significant amount of criticism. Critics argue that the regulations are incomplete at best and irreparably flawed at worst. The author examines the lessons we can learn from the CIP standards and poses a provocative question: Are the regulations actually a secret success?
Keywords :
power engineering computing; power system security; security of data; CIP reliability standards; Federal Energy Regulatory Commission; bulk electric system; critical infrastructure protection; cybersecurity regulation; industry-led regulation; institutional learning; regulatory design; regulatory enforcement; Computer security; Control systems; Electricity supply industry; Energy management; Government policies; Regulators; Safety; Standards; US Federal Energy Regulatory Commission; control systems; critical infrastructure protection; electric power; regulation; security;
Journal_Title :
Security & Privacy, IEEE
DOI :
10.1109/MSP.2014.124
