From the Fall 2023 Issue

Safe, Reliable: A Cyber Duty of Care and Standard of Practice

Henry J. Sienkiewicz
Faculty | Georgetown University

As the alarm clock goes off, a drowsy hand turns on a light switch. Lights go on and lights go off – safely, reliably. Different manufacturers, different processes, same result – safe, reliable.

The foundation for this safety and reliability is found in the National Electrical Code, the comprehensive set of rules that govern the installation and use of electrical systems – an electrical standard of care.

In 2019, the movie “The Current War” dramatized the early, chaotic days of the electrical industry.  It was a time of technological advances, tragic accidents, intense competition, and enormous egos.

The National Electrical Code (NEC) can be traced back to these early days. In the midst of its early chaos, there was a collaborative effort among experts. They established guidelines to promote electrical safety.  As electricity became more widespread, so did concern about the dangers it posed.  Haphazard and inconsistent practices caused numerous accidents and fires.

Beginning in 1897, the National Board of Fire Underwriters (NBFU) (now known as the National Fire Protection Association or NFPA) developed the first safety standards for electrical installations. This committee laid the foundation for what would become the NEC. The NEC standards are the basis for the electrical industry’s Duty of Care and Standard of Practice.  It became apparent that a Duty of Care/Standard of Practice based on accepted and defined standards was necessary to ensure accountability. The National Electrical Code established the quality assurance necessary to ensure consistency, ethical responsibility, and regulatory compliance.[1] The profession became more transparent and accountable.

“Duty of Care/Standard of Practice” principles are not unique to the electrical industry. Medical, legal, engineering, and other professional communities have references to a duty of care/standard of practice. These standards outline a professional’s responsibilities to clients, patients, or customers. While these terms have some very specific legal meanings, this article is not intended to provide legal advice.

In other words, the "duty of care" establishes the level of performance that is expected, while the "standard of practice" outlines the specific methods and approaches that are typically used by a professional in his or her field.

“Duty of care” refers to the legal obligation to act in a manner that avoids causing harm to others[2], while “standard of practice” refers to the level of skill, competence, and diligence that professionals are expected to maintain within their fields.[3]  In other words, the “duty of care” establishes the level of performance that is expected, while the “standard of practice” outlines the specific methods and approaches that are typically used by a professional in his or her field.

For example, an electrician or a system administrator would be expected to act with the same level of care as a professional with a similar level of training. If the electrician fails to wire a building to the proper standards when a reasonably competent professional would have done so, the electrician may be considered negligent and could be held liable for any losses that result. The cyber profession does not have a similar expectation. It should.

The NEC did not emerge fully formed. The original code was 47 pages. The 2023 Code is 912 pages.  Over the years, the NEC has undergone significant revisions and expansions. It has kept pace with technological advances and changing safety needs. As electrical systems became more complex, the code evolved to address issues such as grounding, overcurrent protection, wiring methods, and equipment standards.[4] Similar advances are occurring in information/operational technology.

The collaborative nature of the development of the electrical codes cannot be overemphasized. The code was developed with input from a wide range of stakeholders. These stakeholders included engineers, electricians, manufacturers, safety advocates, code officials, trade associations, and the insurance industry. Stakeholders united to share their knowledge and insights all with the goal of turning lights on and off safely and reliably.

Creating a Duty of Care/Standard of Practice for Cybersecurity

The information and operational technology community and its stakeholders should adopt the same collaborative approach to develop their own “Duty of Care/Standard of Practice.” Consumers, businesses and investors, regulators, the insurance industry, and, ultimately, market forces should be leveraged to advance state of the industry.

While it has aspired to become professional, it has not achieved this goal. As has occurred with the electrical industry, information/operational technology professionals need to become more transparent and accountable.

Fortunately, there are ways to achieve transparency and accountability. Consumers, businesses, and investors are increasingly focused on data privacy and security in the selection of products and services. The regulatory community is providing strong guidance and best practices. Cybersecurity is being helped by the insurance industry using its liability models.  Industry associations are providing best practices. Duty of Care/Standard of Practices are being tailored to specific industries.

Consumers are on the front lines of the ongoing cyber conflict. It has become incumbent for consumers to increase their understanding of cybersecurity.

Consumers, Businesses, and Investors

In a world where cyber breaches are reported on an almost daily basis, consumers, businesses, and investors have become more focused on ensuring that their data remains confidential, has integrity, and is available – the Data CIA Triad.[5] As much as has been spent and is expected to be spent, consumers, businesses, and investors are still struggling to ensure that their environments are secure. They are searching for the “right way,” the “best practices.” They are in search of a standard of practice, a set of guidelines for the protection of their data.[6]

Consumers are on the front lines of the ongoing cyber conflict. It has become incumbent for consumers to increase their understanding of cybersecurity. They need to proactively ensure that their environments are secured.

Meanwhile, it has become clear that companies that make cybersecurity a priority will gain a competitive advantage by earning the trust of their customers and ultimately increasing sales and market share. Security-conscious consumers can be attracted by transparency about security practices and adherence to industry standards. Investors can accelerate the growth of cybersecurity ventures by funding research, development, and implementation of new technologies.  In a world with “Duty of Care/Standard of Performance” principles, companies and investors will have an obligation to ensure that they are transparent and accountable for their products/services cybersecurity posture. Consumers need to know that the products they install are trustworthy.

As consumers, businesses, and investors continue to prioritize privacy and security, they are recognizing that risk management provides the foundation for effective cybersecurity.  Risk management is the process that organizations use to identify, assess, and mitigate potential threats and vulnerabilities including cyber threats and vulnerabilities.  It involves a systematic approach to the analysis of uncertainties and the making of informed decisions to minimize negative outcomes while taking advantage of opportunities.

Organizations identify risks by assessing the factors, both internal and external, that could lead to disruption. The identification process is well documented and includes:

  • Asset management provides an inventory of all digital assets. This includes hardware, software, and data. These are the targets.
  • Configuration management ensures that an organization’s systems, applications, and devices are properly configured and maintained in accordance with established security standards. Patch management is the application of security updates and patches to software and systems on a regular basis. Patch management is a critical defense mechanism because cyber attackers often exploit known vulnerabilities. This is the current state of the targets.
  • Enterprise Architecture and Data Flows provide the framework within which the organization operates. These are the pathways, both digital and physical, by which bad actors will have access to their targets. [7]

Once risks are identified, the next step is an assessment of their potential impact and likelihood. This assessment helps prioritize risks and allocate resources accordingly.

Organizations develop strategies to mitigate risks after the assessment. These strategies may include: Implementing preventive measures, creating contingency plans, or transferring risk through insurance. Organizational partners, such as regulators, the insurance industry, and trade associations, are critical to ensuring the effectiveness of risk management efforts.

Regulators

Second, regulatory bodies are playing a key role in creating a “Duty of Care/Standard of Practice.” There are many cybersecurity regulations enacted by governments and regulatory bodies to help protect digital assets, data, and information systems from cyber threats and attacks. These legal frameworks and guidelines set standards for organizations to follow, enforce compliance, and mitigate risks associated with cyber incidents.

On July 26, 2023, the Securities and Exchanges Commission “adopted rules requiring registrants to disclose material cybersecurity incidents they have experienced and to disclose material information about their cybersecurity risk management, strategy and governance on an annual basis. The Commission also adopted rules requiring foreign private issuers to make comparable disclosures.” As noted in the release, “Whether a company loses a factory in a fire – or millions of files in a cybersecurity incident – it can be material to investors,” said SEC Chairman Gary Gensler. “Currently, many public companies provide cybersecurity disclosures to investors. However, I believe companies and investors alike would benefit from this disclosure being provided in a more consistent, comparable, and decision-useful manner. By helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets that connect them.”[8]

Cybersecurity regulations vary by country and region. However, they generally aim to protect critical infrastructure, sensitive data, and personal information.[9]  Some examples of cybersecurity regulations include:

  • General Data Protection Regulation (GDPR) – European Union: The GDPR is perhaps the most comprehensive data protection regulation. It sets strict guidelines for the collection, processing, and storage of personal data of EU citizens. It applies to any organization that processes the data of EU residents regardless of their location. GDPR requires organizations to have robust security measures in place, report data breaches within 72 hours, and obtain explicit consent for data processing.[10]
  • Network and Information Systems (NIS) Directive – European Union: The NIS Directive is another European Union regulation with the aim of improving the cyber security and resilience of critical infrastructure sectors such as energy, transport and healthcare. It requires operators of essential services and digital service providers to take measures to prevent and mitigate cyber threats and to report significant incidents to national authorities.
  • Cybersecurity Law of the People’s Republic of China: The Cybersecurity Law of the People’s Republic of China imposes strict requirements on network operators and service providers to protect critical information infrastructure. It mandates data localization, requires organizations to provide technical support and assistance to government agencies, and to enforce the law.
  • Health Insurance Portability and Accountability Act (HIPAA) – United States: HIPAA is a federal regulation that sets standards for the protection of sensitive healthcare information known as Protected Health Information (PHI). It requires providers, plans and other covered entities to implement technical and administrative safeguards to ensure PHI’s confidentiality, integrity and availability.
  • California Consumer Privacy Act (CCPA) – United States: The CCPA is a state-level privacy law in California. It gives consumers more control over their personal information. It requires companies to disclose how they collect, use and share personal information. It also gives consumers the right to opt out of information sharing. The CCPA also imposes certain security obligations on organizations for the protection of consumer information.
  • National Institute of Standards and Technology (NIST) Cybersecurity Framework – United States: The NIST Cybersecurity Framework is a widely recognized guideline for organizations to manage and reduce cybersecurity risks, although it is not a regulation. It provides a flexible and customizable approach to improving cybersecurity posture. It categorizes cybersecurity activities into five functions: Identify, Protect, Detect, Respond and Recover.[11]

These are examples of the diversity of cybersecurity regulations around the world each of which is tailored to meet the unique needs and challenges of their respective regions. Compliance with these regulations is essential for organizations to ensure data protection, maintain customer trust, and avoid legal and financial penalties resulting from breaches or non-compliance.

Insurance Industry

Providing organizations with a financial safety net against the increasingly complex and costly landscape of cyber threats, the insurance industry has emerged as a critical component in the cybersecurity space. Cyber insurance plays a key role in risk management strategies by providing coverage for potential losses resulting from data breaches, hacking incidents, and other cyber incidents.

With its liability models, cyber insurance can incentivize organizations to improve their cybersecurity posture. Liability models are assessments of the potential risks and liabilities associated with the insurance of individuals, property, or businesses. The models allow insurance companies to set premiums, allocate resources, and manage their overall exposure to risk.

Insurance premiums can be a reflection of an organization’s security posture and an incentive for risk mitigation efforts. In the event of a breach, having a comprehensive cyber insurance policy can help mitigate financial losses and legal ramifications which underscores the importance of prevention. For cybersecurity purposes, a liability model may be an assessment of potential liabilities and financial losses from data breaches, cyber-attacks, or other security incidents.

The role of insurance in the cybersecurity arena is two-fold. First, by covering the costs associated with data breach notification, forensic investigation, legal fees, and potential litigation, it helps mitigate the financial impact of a cyber incident.

More importantly, for establishing a “standard of practice,” the insurance industry can strongly encourage organizations to adopt robust cybersecurity measures. This encouragement has historical precedent.

The Hartford Steam Boiler Inspection and Insurance Company (HSB)

Founded in 1866, HSB is a pioneer in providing equipment breakdown insurance often referred to as boiler and machinery insurance. This type of insurance arose from the need to address financial risks associated with steam boilers and machinery which became increasingly important to industrial operations in the late 1800s.

In the 19th century, boilers routinely failed. The consequences were usually explosive.  As an insurance company, HSB was often responsible for the losses. HSB responded by researching the causes, developing standards, and requiring that these standards be implemented to be insurable – the Hartford Loop.

Catastrophic boiler explosions were prevented by the Hartford Loop. By maintaining a constant water level in the boiler, the Loop mitigates the risk of overheating and rapid conversion of water to steam that led to many of these explosions.

The adoption of the Hartford Loop as an industry standard in steam boiler design significantly improved safety in multiple industries. Its incorporation became a fundamental practice to ensure the safe operation of steam boilers.

Through its inspections and risk assessments, HSB contributed to the standardization of safety practices in industries that relied on steam power equipment. This led to the adoption of safer design and operating standards. As a result, the frequency and severity of accidents were reduced.

HSB’s involvement in equipment safety and risk assessment influenced engineering practices. This led to the development of safer designs and operating protocols. HSB’s expertise helped insurers, engineers and industrial operators collaborate to create safer working environments.

The insurance industry could be a leader in similar cybersecurity efforts by requiring policyholders to implement specific security protocols and risk management practices in order to qualify for coverage. This would provide an incentive for organizations to invest in proactive cybersecurity measures, such as regular vulnerability assessments, employee training, and system monitoring which would ultimately reduce the likelihood and severity of cyber incidents.

Industry Associations

Associations play a crucial role in helping develop and promote cybersecurity best practices across industries and sectors. Associations focus on specific industries or sectors tailoring their cybersecurity efforts to address unique challenges within those fields. This industry-specific approach ensures that best practices are relevant and practical for the specific context in which organizations operate. These organizations provide a platform for collaboration, knowledge sharing, and the establishment of standards that contribute to a more secure digital environment.

There are numerous associations who are creating cybersecurity “Standards of Practice” for their respective industries, including:

  • Electric Grid Cybersecurity Alliance (EGCA): The EGCA (https://www.electricgridcyber.org) has published a series of playbooks for its member on a wide variety of topics. These include “How to secure a power plant”, “How to confidently make cybersecurity decisions”, ‘How to countering cyber threats to meters and the last mile”, building a great cyber security team, the role of the Board in Grid Cybersecurity, and many more.[12]
  • International Air Transport Association (IATA): For the air transport industry, IATA supports an industry-wide Aviation Cyber Security Strategy to enhance the industry’s capability in addressing this ever-evolving cyber threat. This work is guided by the Security Advisory Council (SAC)and Digital Transformation Advisory Council (DTAC). The Aviation Cyber Security Strategy is focused on four main principles:

    • Cybersecurity culture: Promoting a positive cybersecurity culture and raising awareness across the industry.
    • Transparency and trust: Establishing a global approach to cybersecurity with a similar mindset to that which has guided aviation on safety and general security issues, including supply chain aspects.
    • Communication and collaboration: Creating stronger relationships among players in the aviation industry and external entities to improve the development of best practices and the management of cybersecurity risks.
    • Workforce: Ensuring that aviation personnel are trained to recognize and manage cybersecurity risks and inspire the next generation of leaders.[13]
  • Real Estate Cyber Consortium (RECC): The RECC seeks “to elevate awareness across the real estate community to improve cybersecurity preparedness for buildings and facilities. Specifically, the goal of the partnership with manufacturers, and associated supply chain and service providers is to align the development, deployment, and ongoing support of building technology solutions to a core set of security principles and standards. The Consortium shares leadership and insight on best practices, policies, and procedures across real estate owners, operators, and solution providers.[14]

Industry associations have an important role to play in the development and dissemination of best practices in the cybersecurity field. Through knowledge sharing, standardization, research, education, advocacy, and collaboration, they contribute to a more secure digital landscape. By bringing together professionals and stakeholders, they enable organizations to take a proactive approach to cybersecurity challenges and implement effective strategies to protect their digital assets and sensitive information.[15]

Implementing “Duty of Care/Standard of Practice”

As with regulatory schemas, there are many cybersecurity frameworks. Unlike with regulatory schemas, generally a business can pick from an extensive list of frameworks and Secure by Design/Secure By Default principles. The goal is, information/operational technology professionals need to become more transparent and accountable, in short, more trustworthy. The selection of the “right” framework and set of principles involves analysis of the organizational needs.  Many variables come into play, including: organizational needs, industry alignment, organizational size and complexity, ease of implementation, integration with existing processes, cost, and many more.

Frameworks

Frameworks provide structured guidelines and best practice. They help enhance cybersecurity strategy, risk assessment and incident response.  Some common frameworks include:

  • NIST 800-53: Cybersecurity guidelines by NIST for federal systems, ensuring protection, detection, and response to threats.
  • NIST 800-171: NIST standard for safeguarding Controlled Unclassified Information (CUI) in non-federal systems.
  • CIS Controls®: Best practices from CIS for enhancing cybersecurity posture and mitigating common threats.
  • CMMC: Framework ensuring cybersecurity practices in defense contracts, assessing contractors’ maturity levels.
  • HIPAA: Regulations safeguarding patient data privacy and security in the healthcare industry.
  • FAIR framework: A robust and well-established risk management model for analyzing and quantifying information risk, aiding decision-making and resource allocation.
  • Cybersecurity Maturity Model Certification (CMMC): The newest framework, CMMC is a five (5) level maturity model focused on the US defense industry sector. Level 1 adheres to “basic cyber hygiene” practices. Level 3 has a management plan in place of “good cyber hygiene” and includes 110 of the controls from NIST 800-171 to safeguard CUI. Meanwhile, at Level 5, the contractor demonstrates standardized and optimized processes providing more sophisticated capabilities to detect and respond to advanced persistent threats. Previously, contractors could self-certify their cybersecurity compliance with NIST SP 800-171. Now, contractors must get a third-party assessment. [16]
Secure by Design/Secure by Default

“Secure by Design” and “Secure by Default” are design principles that emphasize incorporating security measures and considerations into the design and architecture of hardware, software, and systems from the beginning of the development process.[17] Security is baked in, not bolted on.

The goal of “Secure by Design” is to create systems that are inherently resistant to vulnerabilities and cyber threats, rather than attempting to add security as an afterthought or separate layer. By integrating security considerations at the design stage, secure by design aims to create more resilient, reliable and secure systems that are better equipped to withstand and mitigate the ever-evolving landscape of cyber threats. This approach helps minimize the need for costly and time-consuming security fixes or redesigns after a system is deployed. [18]

“Secure by Default” are “products that are secure out of the box, require little to no configuration changes, and are available at no additional cost, such as multi-factor authentication (MFA), collect and log evidence of potential intrusions, and control access to sensitive information.”[19] Key principles of secure by design include:

  1. Threat Modeling: Identifying potential security threats and vulnerabilities early in the design phase and designing countermeasures to mitigate these risks.
  2. Least Privilege: Limiting access and permissions to the minimum required for a user or component to perform its intended function, reducing the potential attack surface.
  3. Layered Security: Implementing multiple layers of security controls and mechanisms to provide defense-in-depth against various types of attacks.
  4. Data Validation and Sanitization: Ensuring that all input data is validated, sanitized, and properly handled to prevent common attack vectors such as injection attacks.
  5. Default Secure Configuration: Setting secure defaults for system and software configurations, minimizing unnecessary features and services that could introduce vulnerabilities.
  6. Strong Authentication and Access Controls: Implementing strong authentication methods and granular access controls to restrict unauthorized access.
  7. Encryption: Employing encryption mechanisms to protect data both in transit and at rest, ensuring confidentiality and integrity.
  8. Error Handling: Implementing robust error handling mechanisms to prevent information leakage that attackers could exploit.
  9. Regular Updates and Patching: Designing the system to be easily updatable and ensuring that security patches can be applied efficiently.
  10. User Awareness: Incorporating user education and awareness about security best practices into the design to mitigate social engineering and other user-related risks.

By integrating security considerations throughout the development process, “Secure by Design” and “Secure by Default” aims to create more resilient, reliable, and secure systems that are better equipped to withstand and mitigate the ever-evolving cyber threat landscape. These approaches help minimize the need for costly and time-consuming security fixes or redesigns after a system has been put into service.

The Data Flows

The development of the electrical code stands as a testament to the importance of collaboration, innovation, and safety in the modern world. From its modest beginnings in the late 19th century to its current status as a comprehensive and dynamic document, the electrical code has played a vital role in the safe generation, distribution, and utilization of electrical power. The result is that lights go on, and lights go off safely, and reliably.

The information/operational technology has to meet that same challenge. Data has to flow – safely, reliably. Different manufacturers, different processes with the same result. The industry needs to be driven by a commitment to safeguarding lives, property, and the stability of the ever-changing technology infrastructure. The development of “Duty of Care/Standard of Practice” principle ensures that the data is safe, and reliable.  lock

Henry J. Sienkiewicz

References

Cybersecurity & Infrastructure Security Agency. (2023, September 16). Secure By Design. Retrieved from Cybersecurity & Infrastructure Security Agency: https://www.cisa.gov/securebydesign

Duty of Care. (2017, March 17). Retrieved from Legal Dictionary: https://legaldictionary.net/duty-of-care/

Electric Grid Cybersecurity Alliance (ECGA). (2023, January 15). Retrieved from Electric Grid Cybersecurity Alliance (ECGA): https://www.electricgridcyber.org/

National Fire Protection Association (NFPA) . (2023). National Electrical Code. National Fire Protection Association (NFPA) .

Law Insider. (2023, August 16). Standard of Practice. Retrieved from Law Insider: https://www.lawinsider.com/dictionary/standard-of-practice

Real Estate Cyber Consortium (RECC) . (2023, Sept 16). Real Estate Cyber Consortium (RECC) . Retrieved from Real Estate Cyber Consortium (RECC) : http://www.reccinc.org

Securities and Exchange Commission. (2023, July 23). SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies. Retrieved from Securities and Exchange Commission: https://www.sec.gov/news/press-release/2023-139

Sienkiewicz, H. J. (2018, Spring). Cybersecurity Impacts of the EU GDPR. Retrieved from United States Cybersecurity Magazine: https://www.uscybersecurity.net/csmag/cybersecurity-impacts-of-the-eu-gdpr/

Sienkiewicz, H. J. (2023). Perspectives in Additional Cybersecurity. Georgetown University MPTM 665.

Touhill, G. (2014). Cybersecurity for Executives: A Practical Guide 1st Edition. Wiley.

[1] ( National Fire Protection Association (NFPA) , 2023)

[2] (Duty of Care, 2017)

[3] (Law Insider, 2023)

[4] ( National Fire Protection Association (NFPA) , 2023)

[5] (Touhill, 2014)

[6] (Sienkiewicz, 2023)

[7] (Touhill, 2014)

[8] (Securities and Exchange Commission, 2023)

[9] (Sienkiewicz, 2023)

[10] (Sienkiewicz, Cybersecurity Impacts of the EU GDPR, 2018)

[11] (Sienkiewicz, 2023)

[12] (Electric Grid Cybersecurity Alliance (ECGA), 2023)

[13] (Sienkiewicz, 2023)

[14] (Real Estate Cyber Consortium (RECC) , 2023)

[15] (Sienkiewicz, Perspectives in Additional Cybersecurity, 2023)

[16] (Sienkiewicz, 2023)

[17] (Cybersecurity & Infrastructure Security Agency, 2023)

[18] (Cybersecurity & Infrastructure Security Agency, 2023)

[19] (Cybersecurity & Infrastructure Security Agency, 2023)

Leave a Comment