How Do Utilities Prepare for the Cybersecurity Executive Order?
Location: New York
Date: 2013-04-04
In February, President Obama signed an executive order with
the intentions of beefing up the cybersecurity protection for bits
of critical infrastructure, including the electric power structure
strewn across the country.
The order itself states that “repeated cyber intrusions into
critical infrastructure demonstrate the need for improved
cybersecurity. The cyber threat to critical infrastructure continues
to grow and represents one of the most serious national security
challenges we must confront. The national and economic security of
the United States depends on the reliable functioning of the
Nation's critical infrastructure in the face of such threats.”
While the order discusses the need to enhance security, make our
critical pieces more flexible and develop just a nicer general
interaction between infrastructure sources (read: play nicer), few
details are given about what this will all mean for electric
utilities, NERC CIP, the programs already in place or how involved
the Department of Homeland Security (DHS), who is leading this push,
will become.
And so the debates begin. And the articles (like this one) and
webinars and conferences descend.
In truth, no one can know exactly what will happen with this
executive order, but we can offer some areas of concentration (and
some areas to be wary of).
1.) Take a deep breath because, yes, it will impact you.
No matter what your level of cybersecurity threat at the moment, and
whether you are muni, co-op or large IOU, you need to realize that,
yes, you will be affected. There’s no way around that. While they
recently decreased the number of critical infrastructures from 18 to
16, the power industry remains in that 16. And, developing a
framework to protect those 16 is in the works, with a deadline of
early 2014. Bottom line: This will be a part of your future--your
near future. So, think ahead. Read the order. Read the articles
about the order. Make some notes about weaknesses in your
infrastructure or your current cybersecurity plan.
2.) Be prepared to share.
We know that utilities have been traditionally silent on cyber
issues. No one wants to advertise their issues or give someone a
blueprint to the easy penetration spots. But, that’s going to
change, at least a little. This order, and the push from DHS and
from NIST, to talk to each other will continue. There will be no
more silence. You will be sharing—with the government and with each
other. And it will be soon. You’ve got no more than four months to
get comfy with this, and we hope you started already since it
backdates to the date the order was signed. So, you now have about
three months to get comfy with this.
The order says: “It is the policy of the United States Government to
increase the volume, timeliness, and quality of cyber threat
information shared with U.S. private sector entities so that these
entities may better protect and defend themselves against cyber
threats.”
And, not everyone in the industry fears sharing. Intel’s McAfee, for
one, is more than ready for that.
"We welcome the president's executive order as it emphasizes
industry partnerships working in tandem with a competitive
marketplace to provide the vital products and services needed to
combat the very real threats to our nation's critical
infrastructure,” said Lorie Wigle, vice president, security fabric
program, McAfee.
3.) Yes, it may impact NERC CIP. No, we’re not really sure how yet.
NERC CIP rules were the ones supposed to cover these bits of
critical infrastructure for utilities. Now, critical infrastructure
protection (the CIP portion of that NERC CIP moniker) is also being
pulled into this debate. Inevitably, there will be changes---whether
that will be to this order’s mandates or to the NERC CIP rules, no
one knows for sure. Some say NERC CIP needs to change anyway. It’s
just too cumbersome. Some utilities just really don’t want to start
over again. It’s a mystery, but it will definitely be an area
watched religiously.
In the end, the best way to start may be a little light reading. The
executive order in full can be found here: http://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity.
Additionally, associations and other objective entities such as the
Utilities Telecom Council, have excellent webinars and articles on
the subject ( read about it here:http://www.intelligentutility.com/article/13/03/utc-talks-details-cyber-and-president).
Preparation may be key to weathering the executive order’s details
without it becoming an emergency.
Wigle added, "Utilities have been grappling with how to manage
cybersecurity for some time, but the need for proactive and
strategic planning to confront evolving cyber threats has never been
greater."
To subscribe or visit go to:
http://www.riskcenter.com
http://riskcenter.com/articles/story/view_story?story=99915200
|