Cyber security and distribution systems
Possible executive order raises industry concerns
Unless you've been living under a rock, you've noticed news accounts of a possible executive order on cyber security that would ask the power sector to voluntarily undertake new cyber security efforts on the distribution system and participate in coordinated information sharing with the federal government.
Of course, in an election season, or in industry circles of whatever stripe, use of the term "federal government" is a not-so-secret code word implying incompetence, overreach, mistrust and, generally, a ticket to the monkey house.
On the other hand, in journalism circles, any mention of the terms "self-policing," "voluntary regulation" or "industry knows best" is laughable. Rigor in a challenging task is rarely achieved alone. Star athletes have coaches. Proof readers provide a second set of eyes. Two heads are better than one. Etc.
And so the friction between government and industry will always exist. The relationship becomes particularly thorny when national security and industry converge, as it does in the area of cyber security for critical infrastructure such as exists in the power sector.
That's a sketch of the tensions involved. Now let's look at recent events to set the stage for a variety of interviews that I hope will help illuminate the issue from many angles.
Briefly, Sen. Joe Lieberman, I-Conn., introduced the Cybersecurity Act in February and the measure fell to a Senate filibuster. According to Sen. Jay Rockefeller, D-W. Va., the measure failed due to lobbying by industry groups and the U.S. Chamber of Commerce. In late September, Department of Homeland Security Secretary Janet Napolitano informed the Senate Homeland Security and Governmental Affair Committee that an executive order might be issued but would be less effective than legislation. See more, recent coverage in the following stories:
"Executive order on cyber security builds steam amid criticisms," by the L.A. Times.
"White House, DHS, FBI drafting executive order on cybersecurity," by Defense News.
Also in late September, Rockefeller, the chair of the Senate Committee on Commerce, Science and Transportation, wrote to the Fortune 500 companies, which include 24 utilities, to ask for answers to eight questions about their cyber security practices and how they were developed. Rockefeller stated he wanted unvarnished insights, free from lobbyists' spin. Rockefeller suggested that an executive order creating a framework for voluntary collaboration between industry and the federal government would be the preferred alternative to "reactive and overly prescriptive legislation following a cyber disaster." And he cited support for the President's position from the Joint Chiefs of Staff and the National Security Agency.
You can read Rockefeller's letter here. His questions centered around the following:
- Has your company developed cyber security best practices? How? When?
- Did it do so on its own? With a third party? With help from the federal government?
- What are your concerns with a voluntary program that coordinated federal and industry efforts to articulate best practices for voluntary adoption?
The power industry groups that jointly penned a response published their letter here. The gist of the letter , signed by the heads of industry associations representing investor-owned utilities (EEI), public power (APPA) and rural cooperatives (NRECA), plus the Electric Power Supply Association, the Nuclear Energy Institute, is that:
- We're already partnering with federal agencies and have for years;
- We're already subject to considerable federal mandates and oversight;
- We support cyber security legislation that takes power sector concerns into account;
- We are concerned that duplicative measures or a checklist compliance would be counterproductive.
Frankly, both players, as it were, sound completely reasonable. That's where the matter stands right now and I'll seek out those with a view to the issues involved. If you're paying attention to the issue and would like to chat, please get in touch.
Intelligent Utility Daily