Posts RSS
Subscribe via Email
Keeping The Lights On: Cybersecurity Law for the Electric Grid
Posted September 23rd, 2008 by DanPhilpott
Ever wondered if your electricity supply was safe from computer attack? Congress wondered that too. So they asked the Federal Energy Regulatory Commission (FERC) to find out. The answers they received in October of 2007 were not encouraging.
After 9/11 there was concern about the safety of the Bulk Power Supply (BPS). The President’s Commission on Critical Infrastructure Protection released a report which was explicit about the dangers faced. A frightening example of these dangers was demonstrated by the Aurora vulnerability, essentially a software hack that made a generator crash hard. When faced with this example industry moved to mitigate the problem with some prodding from Department of Homeland Security (DHS), Nuclear Regulatory Commission (NRC) and FERC. The Nuclear Sector, which is regulated by NRC, issued a requirement to address the problem. The Electric Sector was issued a recommendation to address the problem by the Electric Sector Information Sharing and Analysis Center (ES-ISAC). Guess which industry has moved forward with successful mitigation efforts and which has not. FERC reported back on these findings in October of 2007.
Fast forward to now. On September 11th the Bulk Power System Protection Act (BPSPA) of 2008 (PDF link) was put forward by Rep. Rick Boucher (D-VA), chairman of the House Subcommittee on Energy and Air Quality. In addition to the September 11th hearing on the BPSPA a closed door hearing was expected to be conducted the following week. The goal of this legislation is to expand the emergency power of FERC to regulate cybersecurity for the BPS. The act itself does not appear to be strongly opposed by the energy industry but, as always, the devil is in the details.
Diablo Canyon Nuclear Power Plant photo by emdot.
The draft legislation is disputed on three major points; whether to include national security threats, disclosure of threat information and a sunset provision.
FERC recommends wording that would make explicit the requirement to address national security threats. This seems an implicit and reasonable expectation that the people of the United States would have of the agency regulating the BPS but the Energy Sector considers this too expansive a role. They argue that it might cause expensive requirements to be issued such as stockpiling fuel.
The disclosure of threat information is a sore point. Here you can understand the pain of the industry in dealing with government intelligence agencies who would like to keep details of a threat spare to preserve the source of that information. Unfortunately the government must preserve their sources while providing enough information for the industry to react.
Both FERC and the Energy Sector agree on the idea of a sunset provision. The sunset provision in this case stipulates that so long as an order is implemented as a standard it should terminate one year after issuance unless renewed by the President or the Secretary of Energy. The issue is whether this sunset will include the orders to address existing problems (such as the Aurora vulnerability) in addition to orders issued for future vulnerabilities. FERC recommends that only future orders should be sunsetted while the Energy Sector recommends both current and future orders should be sunsetted.
One element which is not adequately addressed in this legislation is how FERC will build the capability to assess and manage cybersecurity issues for the BPS. What should be in place is a bipartite separation of duties between FERC and NIST similar to what is in place with the dual OMB/NIST FISMA roles. FERC would oversee the security while NIST would provide technical guidance on what security should be put in place. FERC does not have the experience in security frameworks or in depth expertise in SCADA security which is required for a cybersecurity initiative of this magnitude.
It is worth noting that Energy Policy Act of 2005 (PDF link) established a process through which the North American Electric Reliability Corporation’s (NERC) was authorized to enforce cybersecurity in the Energy Sector. NERC had gone so far as to create Critical Infrastructure Protection (CIP) standards to include with their Reliability Standards and had present them to FERC for approval by late 2007.
A review of the NERC CIP standards (CIP-001 through CIP-009) does not inspire confidence in NERC’s cybersecurity capabilities. I will discuss the shortcomings of this guidance in a subsequent post.
Similar Posts:
Posted in What Doesn't Work | 
3 Comments »
Tags: BPS • catalogofcontrols • compliance • dhs • fisma • government • infosec • itsatrap • law • legislation • omb • risk • security
September 25th, 2008 at 10:15 am
I’m one who often beats the drum of not assigning too much importance to the unique nature of control systems vs. traditional IT systems. That being said, they are somewhat different beasts in that the design goals are reversed. CIA for IT, AIC for control systems – and often just the A.
Look at the Browns Ferry nuke scram caused by a packet flood, the Hatch nuke scram caused by a reboot issued on the IT network following a software patch, and other case studies in the “SCADA” world to see how some of the provisions in current NIST guidance can be potentially worse than the disease. That being said, if NIST obtains more qualified SCADA/PCS security staff to flesh out SP800-82, Appendix I in SP800-53, and creates an appendix for SP800-30 or creates CI-specific risk frameworks, they can be a good place to do the work of standards development for our sectors. I’m nervous of the industry not being able to provide feedback, however, given the dramatically different design choices throughout the various NERC RE territories.
Dear NIST/FERC/DHS/NERC, please add a *funded* mandate (even in the form of rate cases) for energy sector companies to protect physical assets – not just “cyber” goodies. P.S. Please don’t use “cyber” in future standards.
Some of the other provisos of this particular bill (which is tabled for this session, BTW), are concerning. Specifically, the “feasibility” statement with regards to inter-agency cooperation. Feasibility was a major sticking point in FERC Order 706 and they should not get to use it without some constraints. Also, FERC should not be in the business of recommending specific technology and/or service provider solutions. Let them recommend methods and classes of technologies, but never do I want to see a recommendation that causes me to look at a pool of options that isn’t at least 3 vendors deep.
Looking forward to your “CIP rip” post. 🙂
September 30th, 2008 at 2:04 pm
I hadn’t heard about this, but I had read a report published recently (forgot by who) reporting on the vulnerability of the energy grid to EMP attack. While the power generators themselves are not especially vulnerable, their fuel and, even moreso, the transformer stations are very much so. To make matters worse, under normal circumstances it takes up to a year to order some of those parts, which are specially made to order, and are prohibitively expensive.
Given the ongoing attention on security, I wonder where they’re ultimately going to take all this and how much it’ll cost.
September 2nd, 2009 at 6:00 am
[…] this page was mentioned by JTKeating (@jtkeating), Dan Philpott (@danphilpott), Dan Philpott (@danphilpott), Dan Philpott (@danphilpott) and others. […]