In Depth

Security Standards for Power Companies

Power companies have developed converged security standards for protecting and managing risks.

By Michael Fitzgerald

January 01, 2007CSO — Electrical utilities have developed converged standards for protecting and managing risks. Is your industry next?

It took four years, twice as long as Larry Bugh thought it would, but the nation now has a proposed set of standards designed to help protect the North American power grid from cyberattack. These standards, dubbed critical infrastructure protection Permanent Cyber Security Standards and released by the North American Electric Reliability Council (NERC) in May, represent what appears to be the first set of security standards to address every aspect of cyber­security, including operation, management and even the physical safety of cyberassets.

The Federal Energy Regulatory Commission (FERC) is poised to adopt these standards, which have the potential to be seen as a model by players in other industries that make up the nation's critical infrastructure.

Bugh is a leading player in the standards effort. He is CSO at ReliabilityFirst, one of the eight U.S. reliability councils that monitor and enforce good reliability practices in the power industry. He chaired the 25-member NERC standards draft team, which was formed in early 2003. The federal government asked the team to discuss how electric providers should respond to industry trends that showed a growing number of electrical utilities connecting their control systems to their computer networks.

Those powerful network links led to some real disconnects between professionals with different areas of expertise. Bugh says that executives at many utilities were unfamiliar with the idea of having to protect control systems from cyberattack since, in the past, control systems have typically been kept separate from other systems. But as technology has evolved and the power industry has looked for operational efficiencies, control systems have become more connected to computer systems and the Internet, and therefore are emerging computer security threats. (See "Out of Control," www.csoonline.com/read/080104.)

Meanwhile, computer security experts had trouble adapting to the idea that any cybersecurity protections needed to be implemented in ways that did not so much as slow down the control systems.

So NERC, whose 7,500 members comprise most of the electric sector entities (including cooperatives, government and investor-owned) in the United States and Canada, as well as those in Baja, Mexico, set up the draft team to devise the original standards in August 2001.

"We knew we were breaking new ground, and we knew it would be controversial," Bugh says of the effort and its intended product. Even still, he figured it would take only a couple of years to work things out. But a first draft that generated 900 pages of comments from NERC members was a sign of how much work was ahead.

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Data Center Directions Virtual Conference

Data Center VCAttend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.

» Learn more and register here

WHITE PAPER
Maximizing Site Visitor Trust Using Extended Validation SSL

VeriSignNow with Extended Validation (EV) SSL available from VeriSign, you can show your customers that they can trust your site. Learn about EV SSL benefits in the free VeriSign white paper.

» Read the Paper

Featured Sponsors
Sponsored Links

E-LOAN Maintains Reputation as a Privacy Leader with Symantec

Data Loss Prevention: Keeping Sensitive Data Out of the Wrong Hands

Prudential Financial Protects its Brand with Symantec

Efficient - Flexible - Compliant

Envision Identity-Based Access Control for the Datacenter

Using Likewise to Comply with PCI Data Security Standard

When Customer Relationship is Everything, Businesses Bank on SSL Solutions

The Case for Business Software Assurance ~ Securing Your Applications

Maximizing Site Visitor Trust Using Extended Validation SSL

Solving Online Credit Fraud Using Device Reputation

Understanding Data Location is Imperative for Data Loss Prevention

Secure your virtual and physical environments with the same software

Manage your IT more effectively

IDC Defines an Identity and Access Management Submarket

IDC Defines an Identity and Access Management Submarket for Managing Privileged User Accounts and Meeting GRC Requirements

Everything Today's CISO Needs to Know About Using SSO to Succeed in the Web 2.0 Era

7 Requirements of Data Loss Prevention

Information Security: Data Drains and How to Prevent Loss

CA's IT Security centralizes your identity management to turn security into a proactive, business-building tool

How Are Open Source Development Communities Embracing Security Best Practices?

Digital Identity Protection and Data Security Get Personal

Simplify your data center with Juniper Networks. View the webcast

Managing SSL Security in Multi-Server Environments

The Latest Advancements in SSL Technology

How to Offer the Strongest SSL Encryption

Forrester Total Economic Impact (TEI) report: Save Millions in Fraud Losses.

Get in Compliance With Government Data Regulations

Taking the Botnet Threat Seriously

Any company can promise identity protection. Only Debix can prove it

Welcome to the age of Service-Oriented Security (SOS)

Enabling Compliance with Converged Mainframe Security and Storage

5 Steps to Secure Outsourced Application Development