By Ernie Hayden CISSP CEH
The month of February was an interesting one when it came to the state of the electric grid and cybersecurity. The month included one seminal report, one key news report from England, and formation of a working group to focus on improving the U.S. electric grid cybersecurity. What does this all mean?
In early February, the U.S. Department of Energy (DOE) Office of Inspector General (OIG) publically released an audit it performed regarding the Federal Energy Regulatory Commission’s (FERC’s) oversight and assurance of the electric grid cybersecurity. This report, entitled “Audit Report: Federal Energy Regulatory Commission’s Monitoring of Power Grid Cyber Security,” detailed the DOE’s perspective on how FERC is managing and overseeing the North American Electric Reliability Corporation (NERC). The report found that FERC had not gone far enough to specifically identify what constituted “Critical Assets” on the electric grid. The report also suggested that there was an overemphasis on documentation and not enough on actual patch management and implementation of other technical security controls. It should be noted however, that the report also recognized that FERC “…had only limited authority to ensure adequate cyber security over the bulk electric system.”
In late February, The Telegraph newspaper in the United Kingdom published an article that opened with the headline: “Energy firms believe a major cyber attack against the grid will be launched in the next 12 months, but are not responding to the growing threat…” This headline was based on a survey conducted by the Center for Strategic and International Studies in Washington, DC for the security firm McAfee per the author, Christopher Williams.
These two news items alone certainly raise concerns about the status of the electric grid and if it truly is cyber secure. Unfortunately, these news items are also raising questions and concerns among the U.S. legislators – both Republican and Democrat – to the point that they may feel obliged to take action and put new, stringent laws in place to force more security on the grid.
Hopefully that will not be the result.
In the meantime, as also announced in early February – on the same day as the public release of the DOE OIG report – the DOE, NERC and the National Institute of Science and Technology (NIST) have agreed to form a working group, focused on developing cyber security standards for the electric grid. In the words of the press release, “The group will develop a risk management process guideline that provides utilities a flexible, fundamental approach to managing cyber security risks through a three-tiered approach, addressing risks at the (i) organization level; (ii) mission/ business process level; and (iii) information system level. This process will allow a utility to better understand its risks, assess the severity, and allocate resources more efficiently to manage them.”
February has been a very interesting month and as an observer of the electric grid cybersecurity situation, there appears to be a substantial amount of shuffling but some substantial room for finalizing requirements and ensuring the utilities know what they need to do to be secure and compliant. Our wish is that we do get a more secure electric grid that also can be reliable and resilient.
Needless to say, there is a lot more to watch in this space. Perhaps March will come in like a lion and go out like a lamb?
Do you Think Forward?
Ernie is the Managing Principal for the Verizon Business Energy and Utility practice with extensive experience in the power utility industry and critical infrastructure protection/information security. At Verizon Business he is a primary contributor to customer dialogue in the areas of smart grid cybersecurity and electric grid cybersecurity including NERC Critical Infrastructure Protection (CIP) standards.