State commissions can select from a toolkit of regulatory approaches to promote desired utility cybersecurity behavior. One approach is to allow the industry to selfregulate, and another approach...
Waiting on NERC: What's Next for Cyber-Security?
As NERC’s CIP standards advance, utilities move ahead, haltingly, with implementation.
Price and supply issues dominate the discussion in the electric industry in the summer of 2006, but it wasn’t long ago that another issue—security—captured the industry’s attention. Now, it’s back again.
In the aftermath of Sept. 11, 2001, physical security issues came to the fore. How could plants be protected against terrorist attacks? After the 2003 Northeast Blackout, cyber-security concerns, never far from the front burner, began to predominate.
“[Security is] a major issue with our members,” says Edison Electric Institute spokesman Jim Owen. “Security, both physical and cyber, very much remains on the radar screen of our senior management.”
While the North American Electric Reliability Council (NERC) has put together standards addressing both areas of security—physical and cyber (see sidebar “Fox, Deer, and Pranksters”) —it’s the organization’s proposed cyber-security efforts that passed another milestone in June, with the passage of Critical Infrastructure Protection (CIP) standards.
Refinements to the standard are still to come. At press time, the newly passed standards had been assessed by the Federal Energy Regulatory Commission (FERC), and the comment period had just closed for utility-industry participants affected by the standards. The commission would not officially comment about ongoing proceedings.
As the government turns its focus to cyber-security, investor-owned utilities are anticipating their next move to ensure reliability.
Tied to ERO Approval
NERC’s efforts to standardize cyber-security across the utilities industry have been ongoing, but only recently have the standards moved toward becoming mandatory. Previous cyber-security rules, including NERC’s 1200 standard, were voluntary.
“The 1200 standards were ‘urgent action standards’ put into place in 2004, with the plan that they would be replaced by the 1300 series in 2005,” says NERC’s Stan Johnson, manager of Situation Awareness and Infrastructure Security. “The 1300 series never officially saw the light of day. The 2005 date was not met. The [Critical Infrastructure Protection] standards … are the replacement for the 1200s, which are now null and void. They’re gone.”
NERC has applied to FERC to be the new Electric Reliability Organization, mandated by the Energy Policy Act of 2005. If FERC approves NERC as the ERO, the newly passed cyber-security standards—CIPs 002-009—will become enforceable.
“For the next year, there are no teeth [to the standards],” says Robert Ayoub, an analyst at Frost & Sullivan. “In the future, fines might be ... significant.”
According to Johnson at NERC, the recently passed cyber-security standards will be “mandatory as much as any NERC standards are mandatory, as soon as we are declared the ERO.”
Beyond that date, the timeline for implementation spreads out several years, with threatened fines for those not in compliance. “Certain parts of the standards go into effect at different points, spread out over a three-and-a-half-year period,” Johnson says (see “ NERC Reliability Standards: The Good, the Bad, and the Fill-in-the-Blanks ”).
As for potential fines, Johnson says that if NERC is designated as the ERO and authorized to conduct company audits, any company “found to be deficient”