Network World: Group Defines Cyberattack Prevention Rules for US Power Grid

The Washington-based Federal Energy Regulatory Commission Thursday approved eight “critical infrastructure protection” (CIP) standards intended to protect the electric-power grid operated by the nation’s utilities from coming under cyberattack because of poor access control, software vulnerabilities or other weaknesses in their data-control systems.

FERC, which has regulatory authority over U.S. electric and gas utilities, decided in a unanimous vote to require that users, owners and operators of what’s called the “bulk power system” for electricity, to establish policies and plans to safeguard physical and electronic access to control systems, according to the eight CIP principles. FERC Chairman Joseph Kelliher called the commission’s decision a milestone in “adopting the first mandatory and enforceable reliability standards that address cybersecurity concerns on the bulk power system in the United States.”

These standards, in summary, are:

— Critical cyberasset identification

— Security management controls

— Personnel and training

— Electronic security perimeters

— Physical security of critical cyberassets

— Systems security management

— Incident reporting and response planning

— Recovery plans for critical cyberassets

The CIP standards were proposed by the North American Electric Reliability Corporation (NERC), which FERC has designated as the organization that will oversee compliance with them.

During the FERC public meeting Thursday, Kelliher said that adoption by the energy industry of the eight CIP measures would work to deter “any organized group that might be intentionally trying to disrupt the grid.”

FERC Commissioner Jon Wellinghoff called the decision by the FERC an important one to better secure an interconnected grid system, but Commissioner Philip Moeller raised the question of whether the country would end up with a “more disconnected bulk-power grid as a way to defend against a cyberattack.”

In discussing its decision to adopt the CIP standards to regulate the bulk-power grid, FERC acknowledged that it had received many comments from the power companies related to the concern that the older data-control equipment they have in place today is not designed to adhere to strict security guidelines that might entail software patching or running security and management software.

While the final, complete text of FERC’s regulatory order has yet been issued — it’s expected out in the next few days — the commission did indicate it expected the energy industry to improve its power-control systems, if need be, to meet the new security guidelines, in spite of concerns voiced that the older system-control and data-acquisition (SCADA) systems running power grids can’t be upgraded to meet the security requirements.

In a public statement, the commission also said it will work further to “strengthen standards” even more, and the commission asked NERC to “monitor the development and implementation of cybersecurity standards by the National Institute of Standards and Technology (NIST)” to “determine whether they contain provisions that will protect the bulk-power system better than the CIP Reliability Standards.”

NIST has been developing competing standards for government-operated energy providers, such as the Tennessee Valley Authority. However, FERC Thursday held off directing NERC to adopt the standards that NIST is developing for government-operated utilities.

The American Public Power Association, the Washington-based trade association representing many U.S. power companies, today issued comments that it was “pleased the commission approved NERC’s proposed CIP standards,” but said it would withhold more complete comment until it could review the FERC order.

By Ellen Messmer, Network World (US)