February 9, 2016: NERC issued an alert titled, “Mitigating Adversarial Manipulation of Industrial Control System as Evidenced by Recent International Events.” Also on February 9: The Obama administration announced its Cybersecurity National Action Plan. Writing on behalf of the Plan in a Wall Street Journal op-ed opinion, the President characterized cyber threats as an “urgent danger” to our economic and national security and stated that adversaries are probing for vulnerabilities in the networks controlling our power grid.
January 28-29, 2016: George Cotter (formerly Chief Scientist for the National Security Agency) and I briefed the FERC Commissioners on cyber threats and cyber incidents affecting the grid. The briefing slides, which are part of the FERC public record (Docket RM15-14-000), are available at Exercise of FERC Authority for Cybersecurity of the North American Electric Grid.
One matter we flagged for the Commissioners was a glaring omission in cyber security regulations for the electric utilities (NERC CIPs) and the nuclear utilities (Regulatory Guide 5.71/NEI-0809). These regulations fail to include a requirement that utilities (or nuclear plants) remove malware found in their networks. This is astounding, considering that BlackEnergy—malware which almost certainly facilitated the recent cyber attacks on the Ukrainian electric grid— has also been found in the US electric grid. This hole in the regulations certainly won’t help utilities’ prospects in the cyber insurance market.
I will speak about industrial control system (ICS) cyber security issues including regulatory deficiencies and cyber insurance considerations in keynote addresses to the National Academy of Science, Engineering, and Medicine (February 23, in Washington, D.C) and to the Business Insurance Risk Conference (March 23, in New York).