The new energy bill signed into law by President Bush this week is expected to have the greatest impact on IT departments at power companies because it allows federal enforcement of upcoming cybersecurity standards, according to industry IT executives and other experts.
Under the new law, the Federal Energy Regulatory Commission (FERC) has the authority to establish a national electric reliability organization with the power to oversee and audit reliability standards. Instead of developing its own standards, the FERC plans to adopt those set by the North American Electric Reliability Council (NERC), said Ellen Vancko, a spokeswoman for the organization.
The NERC is a Princeton, N.J.-based voluntary organization that sets standards for the reliable operation and planning of the nation"s bulk electricity system.
A spokeswoman for the FERC was unable to confirm the agency"s plans today.
The NERC is developing cybersecurity standards that cover areas ranging from the security of critical cyber assets to personnel screening and training requirements. The standards, known as CIP-002 to CIP-009, have been in the works for the past two years.
Executives from electrical utilities and independent systems operators (ISO), which oversee regional power grids, recently submitted comments on the third draft of the cybersecurity standards, said Laurence W. Brown, director of legal affairs for the retail energy services division of Edison Electric Institute Inc. in Washington. Brown said a fourth draft of the standards is expected to be voted on by participating energy companies this fall.
If the standards are approved by NERC members and the group"s board, they would likely go into effect next spring, said Brown. That should give power companies enough time to craft budgets that address the new requirements and create a list of physical and cyber assets that will be audited by the new reliability organization established by the FERC, he said.
Brown said most big utilities and ISOs "are darn near fully compliant with 1200" -- the predecessor cybersecurity standard created by the NERC in 2003 -- and with the bulk of the new cybersecurity standards being drafted. The biggest challenge for power companies in meeting the upcoming standards, said Brown, is creation of a list of physical and cyber assets that need to be audited each year.
"The most difficult issue is being able to demonstrate that you have looked at all of the areas that need to be tested and [are] doing the work necessary," said Brown.
For instance, Southern Co. identified its critical assets after the 9/11 terrorist attacks in the U.S., but it will now have to put together a different list to address cyber assets, said Bob Canada, a business-assurance principal for the Atlanta-based superregional power company. While there may be some overlap with its post-9/11 asset management efforts, the new requirements will require "a significant effort" to implement effective security controls for some of Southern Co."s facilities, he said. For example, the company might need to restrict access by workers to portions of a computer console or an area of a power plant to ensure that the duties the workers undertake are authorized, said Canada.
"When we built these things way back, I"m sure they weren"t designed for cybersecurity; they were built to comply with the needs of the plant," said Canada. He said the amount of time needed to identify and list Southern Co."s cyber assets "will be significant."
PJM Interconnection LLC, an ISO that serves 51 million electric customers from North Carolina to New Jersey, has been tracking its cyber assets since March 2004 in compliance with the 1200 standard, said Tom Bowe, chief security officer at the Valley Forge, Pa.-based company. "I don"t want to bait anyone, but do I feel confident in our level of security," said Bowe. Still, he added, "day to day, that confidence can ebb and flow with the latest threat that"s been published."
Midwest Independent Transmission System Operator Inc. in Carmel, Ind., already identifies and monitors its cyber assets through an SAS 70 audit, said Jim Schinski, vice president and CIO for the nonprofit organization, which serves the electrical transmission needs for much of the Midwest. The regional grid operator has twice hired third parties to try to hack into its systems during the past two years, said Schinski. Although he declined to talk about vulnerabilities that had to be corrected, Schinski said, "We came out of the report in very good shape."
Under the NERC"s proposed cybersecurity standards, power companies will also have to conduct extensive background investigations on employees. At some companies, that burden may fall upon IT security departments. For example, PJM"s IT security division shares those responsibilities with the company"s human resources department, said Bowe.