New Energy Bill Takes on Cybersecurity
Power company tech units must meet a host of new standards
Computerworld - The new energy bill signed into law by President Bush last week is expected to have a significant impact on IT departments at power companies. IT executives and experts noted that it allows federal enforcement of upcoming cybersecurity standards.
Under the new law, the Federal Energy Regulatory Commission has the authority to establish a national electric reliability organization with the power to oversee and audit reliability standards.
Instead of developing its own standards, the FERC plans to adopt those set by the North American Electric Reliability Council, said Ellen Vancko, a spokeswoman for the organization. The NERC is a Princeton, N.J.-based voluntary organization that sets standards for the operation and planning of the nation's bulk electricity system.
A spokeswoman for the FERC was unable to confirm the agency's plans last week.
The NERC is developing cybersecurity standards that cover areas ranging from the security of critical cyber assets to personnel screening and training requirements. The standards, known as CIP-002 to CIP-009, have been in the works for the past two years.
Executives from electric utilities and independent system operators (ISO), which oversee regional power grids, recently submitted comments on the third draft of the cybersecurity standards, said Laurence W. Brown, director of legal affairs at the retail energy services division of Edison Electric Institute Inc. in Washington. Brown said a fourth draft of the standards is expected to be voted on this fall.
If the standards are approved by NERC members and the group's board, they will likely go into effect next spring, said Brown. That should give power companies enough time to craft budgets that address the new requirements and create a list of physical and cyber assets that will be audited by the new reliability organization being established by the FERC, he said.
Listing Assets
The biggest challenge for power companies in meeting the upcoming standards, said Brown, is the creation of a list of physical and cyber assets that need to be audited each year.
"The most difficult issue is being able to demonstrate that you have looked at all of the areas that need to be tested and [are] doing the work necessary," said Brown.
For instance, Southern Co. identified its critical assets after the 9/11 terrorist attacks in the U.S., but it will now have to put together a different list to address cyber assets, said Bob Canada, a business assurance principal at the Atlanta-based super-regional power company.
While there may be some overlap with its post-9/11 asset management efforts, the new requirements will demand "a significant effort" to implement effective security controls for some of Southern's facilities, he said. For example, the company might need to restrict workers' access to portions of a computer console or an area of a power plant to ensure that those employees' actions are authorized, he said.



- Excel 2010 Cheat Sheet
- Register for this Computerworld Insider Cheat Sheet and gain access to hundreds of premium content articles, guides, product reviews and more.
- Overcome Top 7 Admin Challenges of Active Directory
- As Active Directory's role in the enterprise has drastically increased, so has the need to secure the data. Gain insight on creating repeatable,...
- Insiders Can Ruin Your Company. Take Action.
- Did you know that 80 percent of threats to an organization come from the inside? The threat from insiders is often overlooked in...
- Top Solutions and Tools to Prevent Devastating Malware
- Custom malware frequently goes undetected. According to Forrester Research, the best way to reduce risk of breach is to deploy file integrity monitoring...
- Streamline Compliance and Increase ROI
- Streamline, simplify, and automate compliance related activities; especially those that impact multiple business units. This white paper from NetIQ, outlines solutions that will...
- X-Ray of the PCI Process-4 Proactive Steps
- This white paper from Forrester Research Inc., helps break PCI into understandable components. Security and risk professionals will gain knowledge and insight into... All Gov't Legislation/Regulation White Papers
- Optimizing Networks for the Cloud
- Join guest speaker, Rohit Mehra, IDC Director of Enterprise Communications Infrastructure, to explore current trends, discuss best practices for optimizing Data Center and...
- Apps QuickStart Series Part 2: Designing and Deploying SQL Server on VMware vSphere
- Download this webcast to learn about the design considerations for virtualizing SQL workloads, performance and scalability information and high-availability options, as well as...
- Apps QuickStart Series Part 1: Designing and Deploying Exchange 2010 on VMware vSphere
- Download this webcast to learn the virtual hardware design considerations for Exchange 2010, deployment using the building block approach, options for high-availability and...
- Customer Spotlight: How IPC The Hospitalist Company Implemented Oracle on VMware
- Have you been looking to hear about customer's experiences with the new VMware vCenter Site Recovery Manager product? View this webcast to learn...
- Virtualize Business-Critical Applications with Confidence
- Virtualizing business-critical applications has become a key focus for organizations as they move along their virtualization journey. With the launch of VMware vSphere®... All Gov't Legislation/Regulation Webcasts