Energy companies face costly upgrades to secure electric grid

Electric power industry gets ready to pull switch on new cybersecurity mandate

By Ellen Messmer , Network World , 12/11/2007

Share/Email
Tweet This
Comment
Print

In an effort to improve security in the nation’s electric power grid, the Washington-based Federal Energy Regulatory Commission is poised to issue new rules to compel energy companies to use practices such as patch management and strong authentication to secure their industrial control systems against attackers, sabotage and unauthorized use.

If FERC at its Dec. 20 meeting approves the so-called Critical Infrastructure Protection (CIP) standards for physical and cybersecurity of the electric power grid, it will flip the switch on a regulatory regime where electric-power companies have to ensure the most critical parts of their system control and data-acquisition (SCADA) systems meet security requirements more associated with corporate computer best practices.

Meeting the Challenges of Virtualization Security: Download now

Securing the electric-power grid

The North American Electric Reliability Corp., the organization with authority to propose security rules for the U.S. energy companies, has suggested the Federal Energy regulatory commission (FERC) approve its eight proposed Critical Infrastructure Protection standards, summarized below. The decision could come as early as December 20 at the next FERC meeting.

Related Content

1.	Critical Cyber Asset Identification: Responsible entity must identify critical assets using risk assessment methodology.
2.	Security Management Controls: Implement management controls for critical assets.
3.	Personnel & Training: Requires personnel with access to critical cyber assets to have an identity verification and a criminal check. Also requires employee training.
4.	Electronic Security Perimeters: Identify and protect security perimeter and access points.
5.	Physical Security of Critical Cyber Assets: Create and maintain a security plan to ensure cyber assets in an electronic security perimeter are kept identified in a physical security perimeter.
6.	Systems Security Management: Define methods, processes and procedures for securing systems identified as critical cyber assets, as well as non-cricial cyber assets, within an electronic security perimeter.
7.	Incident Reporting and Response Planning: Identify, classify, respond to and report cyber security incidents related to critical cyber assets.
8.	Recovery Plans for Critical Cyber Assets: Establish recovery plans for crucial cyber assets using established business continuity and disaster recovery practices.

Click to see: 8 proposed CIP standards

But because many SCADA systems in place today to control the bulk-power grid may not be readily adapted for cybersecurity protection, IT managers at energy companies say they face the prospect of a wholesale replacement of their SCADA systems to meet regulatory goals.

“There are SCADA systems out there for forty or fifty years and they’re running fine,” says Patrick Miller, chair of the electric-utility user group called Energy Security Northwest, whose membership hails from 20 utilities. The energy companies across the country, he says, expect the upcoming FERC decision to influence whether they will need to wholly replace SCADA systems to meet new security regulations.