New Cyber-Security Standards for N. American Power System

The North American Electric Reliability Corporation's board of trustees has approved changes that make cyber-security compliance for the electric industry more stringent

Revised cyber-security standards for the North American bulk power system were approved by the North American Electric Reliability Corporation's (NERC) independent board of trustees Wednesday.

The revised standards were passed by the electric industry last week with an 88 percent approval, according to NERC officials, which noted the majority approval indicated strong support in the industry for the more stringent standards.

"The approval of these revisions is evidence that NERC's industry-driven standards development process is producing results, with the aim of developing a strong foundation for the cyber security of the electric grid," said Michael Assante, Vice President and Chief Security Officer at NERC, in a statement.

The standards, according to the statement, are comprised of approximately 40 'good housekeeping' requirements designed to lay a solid foundation of sound security practices. The revisions approved address concerns raised by the Federal Energy Regulatory Commission when it conditionally approved the standards currently in effect. The revisions notably include the removal of the term "reasonable business judgment," said NERC officials.

The standards "if properly implemented, will develop the capabilities needed to secure critical infrastructure from cyber security threats," the statement noted. Entities that fail to comply can be fined up to $1 million per day, per violation in the U.S., with other enforcement provisions in place throughout much of Canada, said NERC. Audits for compliance will begin on July 1, 2009.

The changes come on the heels of a Wall Street Journal report last month that cited national-security officials who claimed cyberspies from China, Russia and other countries had successfully penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the system. However, Assante stressed in his statement that the changes were part of a process that was launched last July and was already well underway.

"It's important to note, however, that these standards are not designed to address specific, imminent cyber security threats," he said. "We firmly believe carefully crafted emergency authority is needed at the government level to address this gap."

The revised Critical Infrastructure Protection reliability standards are available here. A second phase of revisions will be presented to the board in 2010.

Copyright © 2009 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!