In Depth

Security Standards for Power Companies

Power companies have developed converged security standards for protecting and managing risks.

By Michael Fitzgerald

January 01, 2007 — CSO — Electrical utilities have developed converged standards for protecting and managing risks. Is your industry next?

It took four years, twice as long as Larry Bugh thought it would, but the nation now has a proposed set of standards designed to help protect the North American power grid from cyberattack. These standards, dubbed critical infrastructure protection Permanent Cyber Security Standards and released by the North American Electric Reliability Council (NERC) in May, represent what appears to be the first set of security standards to address every aspect of cybersecurity, including operation, management and even the physical safety of cyberassets.

The Federal Energy Regulatory Commission (FERC) is poised to adopt these standards, which have the potential to be seen as a model by players in other industries that make up the nation's critical infrastructure.

Bugh is a leading player in the standards effort. He is CSO at ReliabilityFirst, one of the eight U.S. reliability councils that monitor and enforce good reliability practices in the power industry. He chaired the 25-member NERC standards draft team, which was formed in early 2003. The federal government asked the team to discuss how electric providers should respond to industry trends that showed a growing number of electrical utilities connecting their control systems to their computer networks.

Those powerful network links led to some real disconnects between professionals with different areas of expertise. Bugh says that executives at many utilities were unfamiliar with the idea of having to protect control systems from cyberattack since, in the past, control systems have typically been kept separate from other systems. But as technology has evolved and the power industry has looked for operational efficiencies, control systems have become more connected to computer systems and the Internet, and therefore are emerging computer security threats. (See "Out of Control," www.csoonline.com/read/080104.)

Meanwhile, computer security experts had trouble adapting to the idea that any cybersecurity protections needed to be implemented in ways that did not so much as slow down the control systems.

So NERC, whose 7,500 members comprise most of the electric sector entities (including cooperatives, government and investor-owned) in the United States and Canada, as well as those in Baja, Mexico, set up the draft team to devise the original standards in August 2001.

"We knew we were breaking new ground, and we knew it would be controversial," Bugh says of the effort and its intended product. Even still, he figured it would take only a couple of years to work things out. But a first draft that generated 900 pages of comments from NERC members was a sign of how much work was ahead.