State commissions can select from a toolkit of regulatory approaches to promote desired utility cybersecurity behavior. One approach is to allow the industry to selfregulate, and another approach...
Waiting on NERC: What's Next for Cyber-Security?
As NERC’s CIP standards advance, utilities move ahead, haltingly, with implementation.
to a door that’s unlocked.
Davidson attends vendor user groups to get feedback from the field, and he heads up outreach efforts to report back lab findings. In doing so, he says utilities are better prepared to meet any cyber-security standards that may be imposed at a future date.
“While many people are focused on NERC compliance, we’re focused on how to secure systems and use that to meet NERC compliance requirements,” he says.
The new requirements not only strengthen system integrity against outside threats, but help address the threat from disgruntled employees and other insiders, who can severely damage systems as a way to retaliate against their employers. “It’s just poor practices that allow those [events] to occur,” he says. “But part of the CIPs is so that everybody understands that poor practices aren’t acceptable any more. You need to have passwords. If somebody leaves the company, you need to immediately remove their account from the system. The [CIP] requirements cover those things.”
ISAC Keeps an Eye Out
With the industry still on the early part of the implementation curve, NERC remains committed to overcoming threats to the bulk electricity network, whether from individuals or Mother Nature. Through operation of the Electricity Sector Information Sharing and Analysis Center (ISAC), NERC stays abreast of reports of possible cyber events, working with other NERC members—and the other critical infrastructure ISACs—to coordinate a response to infrastructure damage.
NERC’s Stan Johnson says there’s “a fairly high level of activity” at the ISAC, but many reported events don’t rise to the level of a cyber attack. “We had a situation that turned out not be an attack, but more on the business side. An employee used passwords that disrupted the energy trading in the Western part of the United States. We investigated it and found out what happened. It was clearly identified as to who had done it. Our role is to make sure that the system’s integrity is maintained.”
The Electricity Sector ISAC also was involved with last year’s major hurricanes—Katrina, Rita, and Wilma. “We shared information between critical infrastructures,” Johnson says. “I don’t know that we were able to prevent any damage, but we certainly were able to assist in any restoration.”
During the hurricanes, the Department of Energy needed to determine from Entergy the number of its towers that had been damaged, and the number of miles of transmission lines on the ground. “We were able to go to the people we work with at Entergy and get that. DOE then factored that into its situation reports,” Johnson remembers. The Electricity Sector ISAC also communicated information to the Telecom ISAC, as telecom companies in and around New Orleans tried to restore their critical facilities. “Entergy got some of its maps and figured out what their restoration strategy was in that part of New Orleans, so we were able to work with the telecom sector,” Johnson says.
Weather events and terrorism threats remain real, Johnson says, although experts believe the greatest vulnerability of cyber systems is not from outside sources, but from insiders. Still,