Cyber security and executive order: camel nose under tent?
Industry concerns about `voluntary' measures
Yesterday, in "Cyber Security and Distribution Systems," we focused on a pending executive order that would create a public-private means to identify and share best practices for cyber security in various sectors, including power, as a resource for voluntary participation.
The administration, through Department of Homeland Security Secretary Janet Napolitano, is pushing for a legislative means to accomplish the same goals, but in light of opposition by "industry"—actually, lobbyists for specific industries as well as the U.S. Chamber of Commerce—is considering an executive order.
While I think that, in light of Congressional gridlock on many issues, that's no bogey man to be feared, I also think the response of the power sector as reflected in yesterday's column is also eminently reasonable. Don't duplicate efforts. Don't re-invent the wheel. Don't push top-down, compliance-based cyber security. (I don't see that in the voluntary model adopted by the potential executive order, but I also understand that power sector folks get their responsibilities and take them seriously.)
But Mike Ebert, senior research affiliate, power grids and security projects, Volgenau School of Engineering, George Mason University, who presented on the topic to NARUC this past summer and has been an Intelligent Utility contributor, sees things differently.
(Ebert is a certified information security auditor, or CISA. "It's ironic that `audit' is in the certification, given that our mantra now is "proactive monitoring" rather than "reactive auditing," he told me in an aside.)
Even additional, voluntary measures for electric distribution systems would divert attention and detract from ongoing, utility-specific measures, according to Ebert.
In summary, some of Ebert's concerns:
- An executive order would represent hawkish national security interests that, under the guise of a voluntary program, want to impose checklist, compliance-centric demands—a one size fits all approach—on distribution systems.
- Federal agencies are too cumbersome for this task and slow down actual, local efforts, leaving systems more vulnerable.
- A legislative remedy would be far better because it involves wider group of stakeholders and compromise, which improves it.
- NERC and FERC skirmish over the adequacy of NERC's Critical Infrastructure Protection (CIP) plans. Why push that model down to the distribution system?
- Standardized, vetted guidelines —of which there are many—provide a workable framework for individual utilities to craft proactive policies and procedures that fit their circumstances.
- Many utilities are quietly engaged in cyber security work, while others aren't. But a secure, trustworthy forum or process for sharing best practices doesn't exist.
- Local, state and industry stakeholders don't trust "the feds" that information gathered for one purpose won't be shared among federal agencies, leading, for example, to anti-trust actions over shared information.
"We need to take a deep breath and think through the unintended consequences of an executive order," Ebert told me.
Meanwhile, Ebert's mission is to help provide NARUC (National Association of Regulatory Utility Commissioners) members with resources to move ahead with actual cyber security, having addressed NARUC's national meeting in July. He credited Terry Jarrett, chair of NARUC's standing committee on critical infrastructure, and a member of the Missouri Public Service Commission, with "moving things forward."
"I don't see complacency," Ebert said of NARUC's membership. "They're concerned and they're doing things."
(Jarrett participated in an EnergyBiz webcast, "New Approaches to Grid Security," this past July. Replay that webcast by clicking on the webcast title.)
NARUC commissioners in July wanted to better understand their role in cyber security and what the challenges are, according to Ebert.
Ebert made the point that commissioners are charged generally with overseeing the safe, reliable, secure and affordable provision of power to the public. So one challenge is reconciling costs, which must be limited, with security, which is an effort aimed at a moving target that's never 100 percent complete. In the cost recovery arena, Ebert pointed out, commissioners must decide what level of expenditures for cyber security are "reasonable and prudent."
The better state regulators understand the issues and the challenges—beyond money, both utilities and regulators need experienced, certified security experts—the more able they'll become in assessing risks and counter-measures and participating in solutions, in Ebert's view.
"I think you need some basic guidance," Ebert acknowledged.
But, he pointed out, adequate resources already are available. See the end of his slide deck for NARUC, "Cybersecurity for Critical Energy and Telecommunications Infrastructures: Major Issues and Challenges for States," for suggested reading.
"A significant cyber event has not yet happened," Ebert said. "Knock on wood and pray that it never does. But why? It may be because people who don't talk or can't talk are doing things that we don't know about. Cyber security is happening and people are quiet about it. Yet they're held back by regulatory uncertainty. They're not sure what they're going to have to comply with. Let's not add to that uncertainty."
Intelligent Utility Daily