In Depth
Security Standards for Power Companies
Power companies have developed converged security standards for protecting and managing risks.
By Michael Fitzgerald
Peterson says that electricity providers will be able to read the standards and understand how to build a complete security program. NERC also has organized seminars where people like Bugh talk through the standards with power industry managers.
The standards themselves still face some politicking. The NERC board approved them and considers them in effect for its members as of June 1, 2006. But NERC only submitted the standards to FERC in August, and the federal agency has no deadline for adopting these standards as government policy. NERC also is negotiating with other parties in the North American grid, including the provinces and other regulatory bodies in Canada and the Mexican state of Baja. Thus far, the province of Ontario has signed a memorandum of understanding to adopt the NERC cybersecurity standards.
FERC will release a Notice of Proposed Rule Making and allow for public comments on the standards. It may not give them a rubber stamp, though: NERC submitted 102 standards to FERC for approval in its initial application to become the nation's first Electric Reliability organization, an entity created by the Energy Policy Act of 2005. FERC has reviewed that list but remanded 20 of the proposed standards to NERC with specific comments about what needs to be done for it to approve them. While FERC could send back some or all of the new CIP standards, Stan Johnson, a manager of situation awareness and infrastructure security at NERC, says he expects the standards to be approved by June.
Members of NERC's drafting team says they tried to make up for the lack of hands-on examples contained in the standards by creating a three-point framework. "We had to consider three things: the [potential cybersecurity] threat, the consequence of an event and the vulnerability," says George Miserendino, president of Triton Security Solutions. Miserendino was on the CIP cybersecurity drafting team, representing Edison Electrical Institute.
The huge blackout of Aug. 14, 2003, in which a software glitch at a single electrical provider in Ohio cascaded into an event in which 50 million people in North America lost power, underscored the importance of the reliability standards discussion. But Miserendino says that the group's biggest motivator was the threat that FERC might come in and do the regulating for it. In part, he says, that's because the 2005 Energy Act made FERC responsible for electrical transmission reliability and gave the federal agency the ability to fine utilities for noncompliance.
power companies
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Upgrading to VMware vSphere with vWire
- Removing Barriers To Better Server Virtualization Efficiency
- Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle
- Staying A Step Ahead of the Hackers: The Importance of Identifying Critical Web Application Vulnerabilities
- Managing A Growing Threat: An Executive's Guide to Web Application Security
- The Forrester Wave™: Web Filtering, Q2 2009
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
