[ISN] New energy bill has cybersecurity repercussions

InfoSec News isn at c4i.org
Fri Aug 12 01:09:53 EDT 2005 

http://www.computerworld.com/securitytopics/security/story/0,10801,103834,00.html

By Thomas Hoffman 
AUGUST 11, 2005
COMPUTERWORLD

The new energy bill signed into law by President Bush this week is
expected to have the greatest impact on IT departments at power
companies because it allows federal enforcement of upcoming
cybersecurity standards, according to industry IT executives and other
experts.

Under the new law, the Federal Energy Regulatory Commission (FERC) has
the authority to establish a national electric reliability
organization with the power to oversee and audit reliability
standards. Instead of developing its own standards, the FERC plans to
adopt those set by the North American Electric Reliability Council
(NERC), said Ellen Vancko, a spokeswoman for the organization.

The NERC is a Princeton, N.J.-based voluntary organization that sets
standards for the reliable operation and planning of the nation's bulk
electricity system.

A spokeswoman for the FERC was unable to confirm the agency's plans
today.

The NERC is developing cybersecurity standards (see "Utility
cybersecurity plan questioned" [1]) that cover areas ranging from the
security of critical cyber assets to personnel screening and training
requirements. The standards, known as CIP-002 to CIP-009, have been in
the works for the past two years.

Executives from electrical utilities and independent systems operators
(ISO), which oversee regional power grids, recently submitted comments
on the third draft of the cybersecurity standards, said Laurence W.  
Brown, director of legal affairs for the retail energy services
division of Edison Electric Institute Inc. in Washington. Brown said a
fourth draft of the standards is expected to be voted on by
participating energy companies this fall.

If the standards are approved by NERC members and the group's board,
they would likely go into effect next spring, said Brown. That should
give power companies enough time to craft budgets that address the new
requirements and create a list of physical and cyber assets that will
be audited by the new reliability organization established by the
FERC, he said.

Brown said most big utilities and ISOs "are darn near fully compliant
with 1200" -- the predecessor cybersecurity standard created by the
NERC in 2003 -- and with the bulk of the new cybersecurity standards
being drafted. The biggest challenge for power companies in meeting
the upcoming standards, said Brown, is creation of a list of physical
and cyber assets that need to be audited each year.

"The most difficult issue is being able to demonstrate that you have
looked at all of the areas that need to be tested and [are] doing the
work necessary," said Brown.

For instance, Southern Co. identified its critical assets after the
9/11 terrorist attacks in the U.S., but it will now have to put
together a different list to address cyber assets, said Bob Canada, a
business-assurance principal for the Atlanta-based superregional power
company. While there may be some overlap with its post-9/11 asset
management efforts, the new requirements will require "a significant
effort" to implement effective security controls for some of Southern
Co.'s facilities, he said. For example, the company might need to
restrict access by workers to portions of a computer console or an
area of a power plant to ensure that the duties the workers undertake
are authorized, said Canada.

"When we built these things way back, I'm sure they weren't designed
for cybersecurity; they were built to comply with the needs of the
plant," said Canada. He said the amount of time needed to identify and
list Southern Co.'s cyber assets "will be significant."

PJM Interconnection LLC, an ISO that serves 51 million electric
customers from North Carolina to New Jersey, has been tracking its
cyber assets since March 2004 in compliance with the 1200 standard,
said Tom Bowe, chief security officer at the Valley Forge, Pa.-based
company. "I don't want to bait anyone, but do I feel confident in our
level of security," said Bowe. Still, he added, "day to day, that
confidence can ebb and flow with the latest threat that's been
published."

Midwest Independent Transmission System Operator Inc. in Carmel, Ind.,
already identifies and monitors its cyber assets through an SAS 70
audit, said Jim Schinski, vice president and CIO for the nonprofit
organization, which serves the electrical transmission needs for much
of the Midwest. The regional grid operator has twice hired third
parties to try to hack into its systems during the past two years,
said Schinski. Although he declined to talk about vulnerabilities that
had to be corrected, Schinski said, "We came out of the report in very
good shape."

Under the NERC's proposed cybersecurity standards, power companies
will also have to conduct extensive background investigations on
employees. At some companies, that burden may fall upon IT security
departments. For example, PJM's IT security division shares those
responsibilities with the company's human resources department, said
Bowe.

[1] http://www.computerworld.com/securitytopics/security/story/0,10801,101906,00.html

More information about the ISN mailing list