Network World
Sunday, July 5, 2009
DNSstuff.com
Get information about your IP
IP Information
50+ On-demand DNS and network tools
NetworkWorld.com > Security >

Group defines cyberattack prevention rules for nation's power grid

Federal Energy Regulatory Commission sets infrastructure standards

By Ellen Messmer, Network World, 01/17/08

The Washington-based Federal Energy Regulatory Commission today approved eight "critical infrastructure protection" (CIP) standards intended to protect the electric-power grid operated by the nation's utilities from coming under cyberattack because of poor access control, software vulnerabilities or other weaknesses in their data-control systems.

Ensuring you get pizza with sync tools
07/06/09
Here's the answer to missing files compromising your plans for pizza, beer and TV.

The 10 dumbest mistakes network managers make
07/05/09
When you look at the worst corporate security breaches, it's clear that network managers keep making the same mistakes over and over again, and that many of these mistakes are easy to avoid.

Psystar bails on bankruptcy, promises to 'battle Goliath'
07/05/09
The Mac clone maker embroiled in a legal dispute with Apple asked a federal judge last week to dismiss its bankruptcy case, saying that it had been unable to reach a payment agreement with its law firm.

FERC, which has regulatory authority over U.S. electric and gas utilities, decided in a unanimous vote to require that users, owners and operators of what's called the "bulk power system" for electricity, to establish policies and plans to safeguard physical and electronic access to control systems, according to the eight CIP principles. FERC Chairman Joseph Kelliher called the commission's decision a milestone in "adopting the first mandatory and enforceable reliability standards that address cybersecurity concerns on the bulk power system in the United States."

Beyond PCI Checklists: Securing Cardholder Data with Tripwire's Enhanced File Integrity Monitoring: Download now

These standards, in summary, are:

* Critical cyberasset identification
* Security management controls
* Personnel and training
* Electronic security perimeters
* Physical security of critical cyberassets
* Systems security management
* Incident reporting and response planning
* Recovery plans for critical cyberassets

The CIP standards were proposed by the North American Electric Reliability Corporation (NERC), which FERC has designated as the organization that will oversee compliance with them.

During the FERC public meeting today, Kelliher said that adoption by the energy industry of the eight CIP measures would work to deter "any organized group that might be intentionally trying to disrupt the grid."

FERC Commissioner Jon Wellinghoff called the decision by the FERC an important one to better secure an interconnected grid system, but Commissioner Philip Moeller raised the question of whether the country would end up with a "more disconnected bulk-power grid as a way to defend against a cyberattack."

In discussing its decision to adopt the CIP standards to regulate the bulk-power grid, FERC acknowledged that it had received many comments from the power companies related to the concern that the older data-control equipment they have in place today is not designed to adhere to strict security guidelines that might entail software patching or running security and management software.

React: Give us your thoughts on the issues here.
Start a public discussion with other Network World users on this article (scroll up to send this article to a colleague).
Log In | Register for an account (Why you should)

Note: Register to have your user name appear; otherwise your comment will show up as "Anonymous."

*Anonymous comments will only appear once they are approved by the moderator.

Copyright 2008 Network World Inc.