By: Sean Sherman
The announcement of the Lieberman/Thompson bill called the Critical Electric Infrastructure Protection Act is the latest response to a series of news-worthy events about the power industry and cyber security. These include:
1) a NERC survey of utilities where over a third of whom cannot identify any “cyber” assets which could be classified as critical to the power grid,
2) then the Wall Street Journal reports that the national electric utilities are being actively mapped out and examined by foreign states for weakness in cyber controls, and
3) Congressman Edward Markey’s firm memo (April 9) to the FERC about apparent lack of good cyber controls in the utility sector.
The press release quotes Thompson “This legislation addresses these critical issues by providing a common sense approach to ensure continued security of the nation’s electric infrastructure”
The new bill, according to news release from the house committee, says it will issue three new instructions:
1. New authority to the FERC to issue “emergency rules or orders” to address cyber security threats (after agency agreement on the threat)
2. Requires FERC to assess and establish interim standards deemed necessary to protect against known cyber threats to critical electric infrastructure.
3. Requires DHS to conduct an investigation to determine if the security of Federally-owned critical electric infrastructure has been compromised by outsiders.
Are these instructions common sense? Doesn’t FERC already have this authority and responsibility? Isn’t DHS already investigating cyber security threats to the nation?
Don’t get me wrong. I thing pressure should be applied to change the process of protecting our nations cyber infrastructure, including utilities. But this solution doesn’t sound new. The problems are systemic, starting with not understanding the threat, knee-jerk reactions to fearful statements, and underfunding of security programs. A real solution should address these failings. I might recommend: apply a true security czar to the domain who can understand the magnitude of the problem and apply guidance and leadership, make the task of cyber control based on an agile process that can change quickly to address changes to threats, and fund security programs that are mandated by that process.