New energy bill has cybersecurity repercussions
Power companies will need to meet a host of new standards
Computerworld - The new energy bill signed into law by President Bush this week is expected to have the greatest impact on IT departments at power companies because it allows federal enforcement of upcoming cybersecurity standards, according to industry IT executives and other experts.
Under the new law, the Federal Energy Regulatory Commission (FERC) has the authority to establish a national electric reliability organization with the power to oversee and audit reliability standards. Instead of developing its own standards, the FERC plans to adopt those set by the North American Electric Reliability Council (NERC), said Ellen Vancko, a spokeswoman for the organization.
The NERC is a Princeton, N.J.-based voluntary organization that sets standards for the reliable operation and planning of the nation's bulk electricity system.
A spokeswoman for the FERC was unable to confirm the agency's plans today.
The NERC is developing cybersecurity standards (see "Utility cybersecurity plan questioned") that cover areas ranging from the security of critical cyber assets to personnel screening and training requirements. The standards, known as CIP-002 to CIP-009, have been in the works for the past two years.
Executives from electrical utilities and independent systems operators (ISO), which oversee regional power grids, recently submitted comments on the third draft of the cybersecurity standards, said Laurence W. Brown, director of legal affairs for the retail energy services division of Edison Electric Institute Inc. in Washington. Brown said a fourth draft of the standards is expected to be voted on by participating energy companies this fall.
If the standards are approved by NERC members and the group's board, they would likely go into effect next spring, said Brown. That should give power companies enough time to craft budgets that address the new requirements and create a list of physical and cyber assets that will be audited by the new reliability organization established by the FERC, he said.
Brown said most big utilities and ISOs "are darn near fully compliant with 1200" -- the predecessor cybersecurity standard created by the NERC in 2003 -- and with the bulk of the new cybersecurity standards being drafted. The biggest challenge for power companies in meeting the upcoming standards, said Brown, is creation of a list of physical and cyber assets that need to be audited each year.
"The most difficult issue is being able to demonstrate that you have looked at all of the areas that need to be tested and [are] doing the work necessary," said Brown.
For instance, Southern Co. identified its critical assets after the 9/11 terrorist attacks in the U.S., but it will now have to put
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts