Bob Radvanofsky, owner of the SCADASEC email discussion list, firstname.lastname@example.org
The definitions of "compliance" and "security" (practically) contradict themselves. The definition of "compliance" (n) is
- (a) the act or process of complying to a desire, demand, proposal or regimen or to coercion; or, (b) conformity in fulfilling official requirements;
- a disposition to yield to others;
- the ability of an object to yield elastically when a force is applied.
"Security" (n), is defined as:
- the quality or state of being secure: as (a) freedom from danger; safety (b) freedom from fear or anxiety; or,
- freedom from the prospect of being laid off <job security>
- (a) something given, deposited or pledged to make certain the fulfillment of an obligation; or (b) surety
- an instrument of investment in the form of a document (as a stock certificate or bond) providing evidence of its ownership
- (a) something that secures; protection (b) (1): measures taken to guard against espionage or sabotage, crime, attack, or escape; or, (b (2): an organization or department whose task is security.
[taken from Merriam-Webster’s online dictionary: http://www.merriam-webster.com
To me, these definitions are not synonymous. Clearly, the definition of "security" does NOT constitute a method by which you are "complying to" something; consequently, "being compliant" does NOT guarantee that "something is secure." Interestingly enough, one deals with complying based upon levels of coercion (meaning, that someone or something made you do something against your will, or forcibly caused you do something; as in "if you don't do this, something bad will happen to you."); whereas, with "security" representing a state of mind, meaning that one feels safe or secure only if certain preventative and/or reactive efforts are implemented against an event, incident, element, factor, or threat, internal or external.
Observationally, I have noticed a trend within the energy sector to indicate that organizations feel "secure" or are stating that they are "secure" by being "NERC- compliant". Being "compliant" does NOT constitute that an organization is "secure," and in addition, being "compliant" does NOT constitute that an organization CANNOT be fined or sued over a security breach. To me, many organizations appear to have a false sense of feeling "safe" by stating that they are meeting a minimum requirement stating that they are "NERC-compliant." Interestingly enough, NERC is neither a standards body nor industry expert when it comes to "security," as its primary charter deals with the reliability of providing energy/power to the North American Grid (henceforth, the name of "North American Electricity Reliability Council").
Additionally, both "compliance" and "security" need to be constantly reviewed and mitigated accordingly. If an organization is "compliant" at the time of a security breach, it is still possible that it can remain "compliant," but is now vulnerable to an attack (operationally, cyber, physically, or otherwise), and is therefore, "not secure" (but, still "compliant"). To be "secure" means that, at that time, whatever methods, processes and procedures have been implemented provide an adequate level of safety and surety that an area, environment or the entire enterprise or the organization is "secure." But...humans are ingenious creatures of habit and can (and will) find weaknesses and/or vulnerabilities in any given area of expertise, subject, or topic and it continues to be a game of "cat and mouse", with an almost endless game back and forth between the "cat" (the attacker) and the "mouse" (the victim).
Lastly, "compliance" represents a minimum level of coercion; meaning, that as an organization, you meet the minimum requirement(s) to satisfy <x>. Whereas, with "security," the premise isn't so much a level of minimum or maximum, but "as needed" or "as necessary," not necessarily signifying that you (as an organization) are "complying." Conversely, an organization can be "secure," but not "compliant." Compliance deals with static conditions, either conditions that are repeatedly consistent, or do not change or alter over the course of time. Security, however, assumes nothing is static and works to solve <x>, and evolves (or should evolve) over a period of time; therefore, security is non-static, but dynamic, and covers aspects of human dynamics.
Bob Huba, DeltaV Product Manager, Emerson Process Management email@example.com
The question of how much security do you need to be secure has first to be answered “secure from what?” As an example, during a recent conversation on security I asked a colleague “Do you think you could keep me from breaking into your home?” He replied “Probably not.” I proceeded to mention that the proper reply to that question is “Who are YOU.” If I am a high school kid trying to find an unlocked front door as I walk home from school then yes, you can, and it is easy – just be sure your door is locked. If I am a professional burglar with a crowbar – then you need more protection than simply locking the door.
The point I am trying to make here, and this goes to the second question as well, is that without a vulnerability assessment to know what threats you need to protect against, you can’t know if you have sufficient protections in place to mitigate these threats. Yes, you can take a worst-case vulnerability scenario, but then you run the risk of wasting time and money on too much protection and potentially putting your security emphasis on the wrong solutions that really do not make you more secure.