FERC: Tighter standards needed to guard against utility cyberattacks
Cyber-intruders have more ways than ever to hack into the computer networks that control the North American power grid, so the Federal Energy Regulatory Commission is pushing for tighter security standards to help keep them out.
It won't be an easy job, especially because FERC wants companies that serve the utility industry to do more.
Specifically, FERC wants the North American Electric Reliability Corp. - the nonprofit that oversees the interconnected power systems of the U.S., Canada and part of Mexico - to develop security standards governing the supply chains of organizations involved in managing and working on the grid.
The standards would be designed to make sure that utilities aren't supplied with products or services used on the computer systems that run the grid more vulnerable to intrusion.
The agency has also proposed revisions to standards proposed by the North American Reliability Council, or NERC, for protecting the grid. The revisions would modify seven new Critical Infrastructure Protection Reliability Standards developed by NERC for items ranging from personnel and training to physical security for the computer systems that manage the grid and protection of the information on those systems.
Additionally, FERC wants NERC to address why the standards it has proposed to limit the risks posed by so-called transient devices - which include everything from flash drives to laptop computers - should apply only to computer systems that, according to NERC classification, would have a high or medium impact on the grid if they were disrupted, and not to computer systems that would have a low impact on the grid if they were disrupted.
FERC detailed all that it is proposing in a notice issued on July 16. Comments will be accepted for 60 days from the time the proposals are published in the Federal Register.
FERC's proposal to direct NERC to develop supply-chain security standards marks only the third time the agency has ordered NERC to develop a set of standards, FERC Commissioner Cheryl A. LaFleur noted in a statement on FERC's website. FERC previously directed NERC to develop standards to address physical security and geomagnetic disturbances, which are disturbances of the earth's magnetic field caused by solar flares or storms.
FERC said its latest push was prompted by two malware campaigns.
One involves a Trojan horse virus, which gets its name because it is designed to appear useful or interesting to get people to install it and then, once it is installed, do its damage. The virus, called Havex, originally was distributed by such traditional methods as bogus emails, but its designers subsequently managed to get it into downloaders on the websites of industrial control system manufacturers, so when those companies' customers went to their websites for upgrades, they got Havex, too.
The other malware campaign involved BlackEnergy, which is meant to give its creators complete remote control over any system it infects. Last October, researchers at Tokyo-based security software developer Trend Micro Inc. learned that BlackEnergy's creators were attempting to take advantage of a vulnerability in Microsoft Windows to get personal computers running supervisory control and data acquisition software developed by General Electric Co. to download the malware.
In its proposal, FERC asked industry experts to weigh in with what they think should be in the standards and how long it should allow for the standards to be implemented. FERC said it wants the standards to govern all grid-related goods and services through their entire life cycles from research and development to retirement and disposal.
FERC's proposals didn't come as a shock, said H. Bao Le, a vice president and practice director for Coalfire Systems Inc., a Denver cyber-risk management and compliance company.
"These have been in discussion within the industry," said Le, who has been participating in NERC committees working on FERC directives.
While FERC's proposals may break new ground in the electric industry, they're hardly cutting-edge stuff, said David Miller, the chief security officer for Covisint Corp., a Detroit-based provider of cloud-computing platforms for businesses.
The financial-services, oil-and-gas and health-care industries have been computer-security sticklers for years, due to both regulations and the liabilities they'd face if they weren't. As a result, Miller said, when NERC starts writing the guidelines that FERC wants it to come up with, it will have plenty of models to follow.
Miller also said that the big companies in grid-related supply chains shouldn't have trouble complying with the new guidelines.
"They supply services to other industries and those industries" may already follow supply-chain security guidelines, he said.
FERC's focus on grid supply chains "is a good step in the right direction," said Tom Patterson, vice president, global security solutions for Unisys Corp., a computer hardware, software and services firm based in Blue Bell, Pa.
The largest companies in an industry typically have the best cyber-security, so hackers increasingly are focusing on those companies' suppliers, whose cyber-security isn't as good, Patterson said. Once they're into the suppliers' systems, they "use that access to slowly worm their way up," he said.
Another reason Patterson applauds FERC's focus on grid supply chains is the proliferation of devices with chips in them. He said a hacker was able to attack a defense contractor by putting malware in intelligent light bulbs that the contractor purchased because the contractor didn't apply the same security standards to the bulbs that it did to its core technology.
The proliferation of mobile devices was why FERC asked NERC to explain why NERC's standards for transient devices shouldn't apply to low-impact grid-related computer systems.
Still, if that directive results in those standards being applied to low-impact systems, enforcing the standards could be difficult, said Elizabeth Brereton, an associate with the Salt Lake City law firm of Snell & Wilmer, who previously worked in enforcement with the Western Electricity Coordinating Council.
"There's been a lot of pushback in the industry (over) classifying transient devices and implementing regulations to really control data-storage devices as well, just because of the burden that places on day-to-day operations," she said.
Copyright © 1996-2015 by CyberTech, Inc. All rights reserved.
To subscribe or visit go to: http://www.energycentral.com
To subscribe or visit go to: http://www.energybiz.com