- Provide intelligence on threats to those needing to know - that does not mean only security cleared individuals, but all individuals working in the area;
- Make use of available technical talent – there is very little, and the safety and security of our country depend on these efforts;
- Analyze actual control system cyber incidents to develop appropriate cyber technologies and policies – there are few places to get the information as most of it has not been provided to the government—and what has is often classified and unavailable;
- Establish benchmarks for how much security is enough, what is an acceptable vulnerability assessment, what is an acceptable risk assessment, audit metrics, trade-offs between security and functionality, etc.;
- Support first-of-kind technology development, particularly for legacy field devices;
- Support development of college technical as well as policy curricula;
- Support the establishment of a CERT (Computer Emergency Response Team) for control systems that is not under the purview of the government, because industry is still uncomfortable about providing what they consider to be confidential data to government agencies like the FBI.
What can Congress do?
Currently FERC is constrained by the Energy Policy Act of 200517. It cannot write standards and its scope is restricted to the bulk electric system. There are several steps that Congress can take to help maintain the reliability of the electric system from cyber threats:
- Provide cyber security legislation that gives FERC the scope to write standards including mandating NIST SP800-53 for the bulk electric grid and the Smart Grid
- For cyber security, increase FERC’s scope to include electric distribution. There are technical as well as administrative reasons. Low-voltage transmission and high-voltage distribution systems electronically communicate with each other; utilities electronically communicate with each other; and the utilities use common systems. We cannot afford to have a "Tower of Babel" set of rules for each state and for the same equipment.
- NERC is in a conflict-of-interest position because its fundamental purpose has changed. If NERC can not do the job of assuring cyber security of the electric grid, find an organization with the will power and authority to do so.
- HR 219518 would go a long way toward providing effective legislation. I would add the following: Mandate the NIST FISMA guidance documents, such as SP800-53 and require the establishment of a program to develop expertise in electric grid cyber security. The expertise gained from this program should be shared with every electric grid owner and operator.
It has been almost ten years since I helped start the control system cyber security program at the Electric Power Research Institute (EPRI). Ten years should have been sufficient time for the industry to make significant progress. Unfortunately, it has not happened. Actual control system cyber incidents continue to occur – in fact, they appear to be getting more numerous. An unsecured electric grid is dangerous to the safety and economic well-being of this country. Congress needs to step in and provide regulation to give FERC the additional powers necessary and mandate NIST SP800-53.