How Do Utilities Prepare for the Cybersecurity Executive Order?

In February, President Obama signed an executive order with the intentions of beefing up the cybersecurity protection for bits of critical infrastructure, including the electric power structure strewn across the country.

The order itself states that “repeated cyber intrusions into critical infrastructure demonstrate the need for improved cybersecurity. The cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront. The national and economic security of the United States depends on the reliable functioning of the Nation's critical infrastructure in the face of such threats.”

While the order discusses the need to enhance security, make our critical pieces more flexible and develop just a nicer general interaction between infrastructure sources (read: play nicer), few details are given about what this will all mean for electric utilities, NERC CIP, the programs already in place or how involved the Department of Homeland Security (DHS), who is leading this push, will become.

And so the debates begin. And the articles (like this one) and webinars and conferences descend. 

In truth, no one can know exactly what will happen with this executive order, but we can offer some areas of concentration (and some areas to be wary of).

1.) Take a deep breath because, yes, it will impact you.

No matter what your level of cybersecurity threat at the moment, and whether you are muni, co-op or large IOU, you need to realize that, yes, you will be affected. There’s no way around that. While they recently decreased the number of critical infrastructures from 18 to 16, the power industry remains in that 16. And, developing a framework to protect those 16 is in the works, with a deadline of early 2014. Bottom line: This will be a part of your future--your near future. So, think ahead. Read the order. Read the articles about the order. Make some notes about weaknesses in your infrastructure or your current cybersecurity plan. 

2.) Be prepared to share.

We know that utilities have been traditionally silent on cyber issues. No one wants to advertise their issues or give someone a blueprint to the easy penetration spots. But, that’s going to change, at least a little. This order, and the push from DHS and from NIST, to talk to each other will continue. There will be no more silence. You will be sharing—with the government and with each other. And it will be soon. You’ve got no more than four months to get comfy with this, and we hope you started already since it backdates to the date the order was signed. So, you now have about three months to get comfy with this.

The order says: “It is the policy of the United States Government to increase the volume, timeliness, and quality of cyber threat information shared with U.S. private sector entities so that these entities may better protect and defend themselves against cyber threats.”

And, not everyone in the industry fears sharing. Intel’s McAfee, for one, is more than ready for that.

"We welcome the president's executive order as it emphasizes industry partnerships working in tandem with a competitive marketplace to provide the vital products and services needed to combat the very real threats to our nation's critical infrastructure,” said Lorie Wigle, vice president, security fabric program, McAfee.

3.) Yes, it may impact NERC CIP. No, we’re not really sure how yet.
NERC CIP rules were the ones supposed to cover these bits of critical infrastructure for utilities. Now, critical infrastructure protection (the CIP portion of that NERC CIP moniker) is also being pulled into this debate. Inevitably, there will be changes---whether that will be to this order’s mandates or to the NERC CIP rules, no one knows for sure. Some say NERC CIP needs to change anyway. It’s just too cumbersome. Some utilities just really don’t want to start over again. It’s a mystery, but it will definitely be an area watched religiously.

In the end, the best way to start may be a little light reading. The executive order in full can be found here: http://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity. Additionally, associations and other objective entities such as the Utilities Telecom Council, have excellent webinars and articles on the subject ( read about it here:http://www.intelligentutility.com/article/13/03/utc-talks-details-cyber-and-president). Preparation may be key to weathering the executive order’s details without it becoming an emergency.

Wigle added, "Utilities have been grappling with how to manage cybersecurity for some time, but the need for proactive and strategic planning to confront evolving cyber threats has never been greater."

To subscribe or visit go to:  http://www.riskcenter.com

http://riskcenter.com/articles/story/view_story?story=99915200