Congress won't pass the administration's Cyber Security Act of 2012, so an executive order is getting run up the flagpole. Is it a bargaining tactic or a last resort? One contributor makes the case that more is less.
Yesterday, in "Cyber Security and Distribution Systems ," we focused on a pending executive order that would create a public-private means to identify and share best practices for cyber security in various sectors, including power, as a resource for voluntary participation.
The administration, through Department of Homeland Security Secretary Janet Napolitano, is pushing for a legislative means to accomplish the same goals, but in light of opposition by "industry"—actually, lobbyists for specific industries as well as the U.S. Chamber of Commerce—is considering an executive order.
While I think that, in light of Congressional gridlock on many issues, that's no bogey man to be feared, I also think the response of the power sector as reflected in yesterday's column is also eminently reasonable. Don't duplicate efforts. Don't re-invent the wheel. Don't push top-down, compliance-based cyber security. (I don't see that in the voluntary model adopted by the potential executive order, but I also understand that power sector folks get their responsibilities and take them seriously.)
But Mike Ebert, senior research affiliate, power grids and security projects, Volgenau School of Engineering, George Mason University, who presented on the topic to NARUC this past summer and has been an Intelligent Utility contributor, sees things differently.
(Ebert is a certified information security auditor, or CISA. "It's ironic that `audit' is in the certification, given that our mantra now is "proactive monitoring" rather than "reactive auditing," he told me in an aside.)
Even additional, voluntary measures for electric distribution systems would divert attention and detract from ongoing, utility-specific measures, according to Ebert.
In summary, some of Ebert's concerns:
"We need to take a deep breath and think through the unintended consequences of an executive order," Ebert told me.
Meanwhile, Ebert's mission is to help provide NARUC (National Association of Regulatory Utility Commissioners) members with resources to move ahead with actual cyber security, having addressed NARUC's national meeting in July. He credited Terry Jarrett, chair of NARUC's standing committee on critical infrastructure, and a member of the Missouri Public Service Commission, with "moving things forward."
"I don't see complacency," Ebert said of NARUC's membership. "They're concerned and they're doing things."
(Jarrett participated in an EnergyBiz webcast, "New Approaches to Grid Security ," this past July. Replay that webcast by clicking on the webcast title.)
NARUC commissioners in July wanted to better understand their role in cyber security and what the challenges are, according to Ebert.
Ebert made the point that commissioners are charged generally with overseeing the safe, reliable, secure and affordable provision of power to the public. So one challenge is reconciling costs, which must be limited, with security, which is an effort aimed at a moving target that's never 100 percent complete. In the cost recovery arena, Ebert pointed out, commissioners must decide what level of expenditures for cyber security are "reasonable and prudent."
The better state regulators understand the issues and the challenges—beyond money, both utilities and regulators need experienced, certified security experts—the more able they'll become in assessing risks and counter-measures and participating in solutions, in Ebert's view.
"I think you need some basic guidance," Ebert acknowledged.
But, he pointed out, adequate resources already are available. See the end of his slide deck for NARUC, "Cybersecurity for Critical Energy and Telecommunications Infrastructures: Major Issues and Challenges for States ," for suggested reading.
"A significant cyber event has not yet happened," Ebert said. "Knock on wood and pray that it never does. But why? It may be because people who don't talk or can't talk are doing things that we don't know about. Cyber security is happening and people are quiet about it. Yet they're held back by regulatory uncertainty. They're not sure what they're going to have to comply with. Let's not add to that uncertainty."
Intelligent Utility Daily