The Secretary of Defense cites specific, recent cyber attacks on major financial institutions and increased capabilities of our enemies. A law calling for voluntary sharing and adoption of best practices can't pass Congress. The President has an executive order in his hand. What is the thinking here?
In case you think we're over-emphasizing aspects of cyber security, I awoke Friday to the front page of The New York Times: "Panetta Warns of Dire Threat of Cyber Attack on U.S ."
According to the Secretary of Defense, the homeland is "increasingly vulnerable to foreign computer hackers who could dismantle the nation's power grid, transportation system, financial networks and government." Note which sector goes first.
Panetta said he was "reacting to increasing aggressiveness and technological advances by the nation's adversaries, which officials identified as China, Russia, Iran and militant groups" that could "shut down the power grid across large parts of the country."
Defense officials said Panetta is serious and that he was concerned by "a recent wave of cyber attacks on large American financial institutions." (Such attacks imply either the intended theft of financial data, customer data or an attempt to wreak havoc with the banking system and, thus, the economy. No word on suspected perpetrators, probably because that would tip our hand.)
Of course the secretary isn't going to openly discuss attack vectors and specific counter strategies. And he acknowledged he's stumping for the Cybersecurity Act of 2012 shot down by the U.S. Chamber of Commerce and Sen. John McCain, R-AZ, who purportedly fear added costs on industry. (To this perennial fear, I'd say start to focus on the costs associated with a successful attack. Need we review the tens of billions of dollars in cost from, say, the unintentional 2003 blackout?)
As we covered in "Cyber Security and Distribution Systems ," and "Cyber Security and Executive Order: `Camel Nose Under Tent? ,'" that legislation seeks a process for sharing and further developing best practices in cyber security, drawing on various vertical industries' work, including the power sector.
The adoption of those practices, the legislation and potential executive order state, would be voluntary. But of course industry is leery of any interaction with the federal government if it leads to compliance exercises and costs and perhaps rightly so. While the legislation in play calls for voluntary adherence to best practices shared with the national agencies charged with protecting the homeland, one argument suggests that voluntary measures soon will become mandatory and that this is a subterfuge to obtain dirt on utility practices.
Another thread of the argument runs that, in the case of cyber security, compliance diverts attention from actual security and imposes the dreaded one-size-fits-all framework that hampers solutions unique to each utility's circumstances.
I'd give more weight to the second argument, just because the first reeks of paranoia and underscores just how dysfunctional this nation has become due to partisanship, mistrust of government and failure to agree on matters of national importance. Looking back at the history of failed empires, too often you see debilitating decadence born of disagreement.
Yet one cannot blithely dismiss concerns expressed publicly by the Secretary of Defense. He's not just out for a chin wag. Partisanship and parochial industry attitudes could well foil a national strategy to protect critical infrastructure. The issue at hand is how it's getting done.
Uniformity of approach, obviously, is not only ineffective, it could allow for wider penetration of security measures, once the overall strategy and implementation is understood by would-be malefactors. Yet I suspect that at a more granular level, measures such as NERC CIP (North American Electric Reliability Council's critical infrastructure protection) allow for such tailoring. Someone would have to help me with that and, I suspect, views will differ.
I'm convinced, from many back channel conversations, that utilities of every stripe are taking cyber security seriously and there's a lot taking place (as it should) behind the scenes. We've recently discussed the steps taken, for instance, by state regulators, public power and cooperative utilities.
See the National Association of Regulatory Utility Commissioners' (NARUC) "Cyber Security for State Regulators, With Sample Questions to Ask Utilities ." See the American Public Power Association's alert last Thursday, "DHS, Energy Dept. Schedule Briefings on Cyber Attacks. " (Those meetings begin this week, on Oct. 17. The full article requires membership.) See the many articles on the National Rural Electric Cooperative Association's (NRECA) efforts in, for instance, "Enabling Security for Coops ," which discusses NRECA's cyber security toolkit dubbed "Guide to Developing a Cyber Security and Risk Mitigation Plan."
Yet I'm also convinced that many utilities haven't done the difficult work or lack the financial and human resources to do it right. In fact, the latter is a consistent theme espoused by the very same folks who object to federal action and utility cooperation. The folks who don't want more federal demands on their back acknowledge that many utilities don't have the resources to do it right. Those who object to additional federal demands need to spell out their own solution here.
Sadly, this issue is being framed as an either/or proposition, when alternatives are so obvious. Yes, a process for sharing best practices is needed and, in fact, that appears to be happening via the industry associations for each stripe of power utility. Are current processes sufficient? I cannot judge. But experts can. And each utility should be held accountable for achieving some benchmarks for the proper implementation of security measures. As we've seen, IT architects and those concerned (rightly) about industrial control systems, are certainly working to prevent effective attacks.
So some time and effort should be set aside from actual security work at every utility to establish to the nation's pertinent agencies that, in fact, they're implementing effective strategies, technologies, processes and training to counter threats to their specific system and can isolate themselves if they are attacked.
How that gets done is the real question. So rather than resist our national government, the power industry needs to propose how it's going to ensure cyber security and what method it favors to establish that that security is being achieved. If everyone is so concerned about how added costs to the provision of electric service might affect the nation's economy, focus for a moment on the cost of a grid failure via cyber attack. Hint: it's potentially an exponential relationship.
For instance, why don't utilities that are confident they've got the challenge in hand invite a national security team to test their defenses? Forget NERC CIP. Forget the checklist compliance argument. Bring in the white-hatted hackers and prove you've done the job or accept oversight.
Intelligent Utility Daily