In Depth

Security Standards for Power Companies

Power companies have developed converged security standards for protecting and managing risks.

By Michael Fitzgerald

Page 2

Standards with Muscle

The new critical infrastructure protection (CIP) standards stand out both for their breadth and their teeth—once FERC approves the CIP standards, both the industry group and the government will have the power to fine member utilities that don't comply with them.

The standards are broad, affecting everything from the hiring process for people who will be responsible for cybersecurity (including background checks), to guidelines for perimeter security responsibility and controls. They cover, among other things, training standards, management systems, electronic security, physical security, and incident reporting and response.

NERC officials are careful to note that the new infrastructure standards cover only cybersecurity—the physical aspects of the standard relate specifically to physically securing cyberassets, not, say, power transmission lines or turbine generators. Still, the effort will mean that any piece of information technology whose vulnerability could affect a control system's operation—whether it be a computer system, backup system, network equipment or software—needs to be protected.

That risk coverage is a noteworthy step, says Dale Peterson, director of the consulting practice at Digital Bond, a company that consults on supervisory control and data acquisition, or SCADA, systems for a variety of industries, including electric power generators. Peterson has blogged extensively (at www.digitalbond.com) about the NERC standards as they have been developed. "There are no other standards in the cybersecurity space that say 'you must do this,' and have a measurement component and have an audit plan," he says.

Peterson says this represents a significant shift from the guideline documents common to this industry, which have loose recommendations. "These say 'must' or 'shall.' These standards can be audited, and you can say if it's compliant or noncompliant," he says.

Covering Digital and Physical Ground

The new critical infrastructure protection Permanent Cyber Security Standards replaced an earlier version developed in the wake of the September 11 attacks. That version, called the Urgent Action Cyber Security Standard (also known as CIP 1200), was approved the day before the August 2003 blackout and was considered a temporary measure.

The NERC group working on the new critical infrastructure protection standards used CIP 1200 as a jumping-off point, but the new standards are far broader, with eight categories covering the gamut of physical, operational and cybersecurity challenges. Among other things, the standards would require: background checks of potential employees, access authorization on both the physical and systems side of a utility, and establishment of a full-scale disaster response and restoration plan for both cyber and physical incidents. (See "Mission Critical," opposite page.)