News
New Cyber-Security Standards for N. American Power System
The North American Electric Reliability Corporation's board of trustees has approved changes that make cyber-security compliance for the electric industry more stringent
By Joan Goodchild, Senior Editor, CSO
May 06, 2009 —
Revised cyber-security standards for the North American bulk power system were approved by the North American Electric Reliability Corporation's (NERC) independent board of trustees Wednesday.
The revised standards were passed by the electric industry last week with an 88 percent approval, according to NERC officials, which noted the majority approval indicated strong support in the industry for the more stringent standards.
"The approval of these revisions is evidence that NERC's industry-driven standards development process is producing results, with the aim of developing a strong foundation for the cyber security of the electric grid," said Michael Assante, Vice President and Chief Security Officer at NERC, in a statement.
The standards, according to the statement, are comprised of approximately 40 'good housekeeping' requirements designed to lay a solid foundation of sound security practices. The revisions approved address concerns raised by the Federal Energy Regulatory Commission when it conditionally approved the standards currently in effect. The revisions notably include the removal of the term "reasonable business judgment," said NERC officials.
The standards "if properly implemented, will develop the capabilities needed to secure critical infrastructure from cyber security threats," the statement noted. Entities that fail to comply can be fined up to $1 million per day, per violation in the U.S., with other enforcement provisions in place throughout much of Canada, said NERC. Audits for compliance will begin on July 1, 2009.
The changes come on the heels of a Wall Street Journal report last month that cited national-security officials who claimed cyberspies from China, Russia and other countries had successfully penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the system. However, Assante stressed in his statement that the changes were part of a process that was launched last July and was already well underway.
"It's important to note, however, that these standards are not designed to address specific, imminent cyber security threats," he said. "We firmly believe carefully crafted emergency authority is needed at the government level to address this gap."
The revised Critical Infrastructure Protection reliability standards are available here. A second phase of revisions will be presented to the board in 2010.
Other stories by Joan Goodchild
power grid
Log Management in a Cyber World
With so many potential cyber villains poking around the gates, enterprises must have strong protections and pristine visibility into what's happening on the network. Explore the increasing importance of log management as cybercrime and other malicious threats grow.
Comparing Research in Motion and Microsoft Mobile Solutions
Organizations must look carefully at the requirements of mobile devices and accompanying middleware that can increase cost, complexity and administrative overhead. This white paper provides an independent analysis and detailed comparison of RIM and Microsoft's mobile solution.
- Continuous PCI Compliance and Security with Tripwire Solutions
- The Pursuit of a Standardized Solution for Secure Enterprise RBAC
- Building a Secure and Compliant Windows Desktop
- Root Access Risk Control for the Enterprise
- Demystifying IT Risk to Achieve Greater Security & Compliance
- Cyber Crime: A Clear and Present Danger
Stay current with insightful news and analysis on information security, business continuity, identity and access management, loss prevention and more with CSO newsletters!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
