Subscribe
Blog / Podcast Readers
NEWSGATOR YAHOO
BLOGLINES ITUNES
DEL.ICIO.US DIRECT RSS

Key Congressional Committee Strongly Criticizes Efforts to Mitigate Electric Grid Cyber Security Vulnerabilities

by Shannon Kellogg on 5/21/2008
Topics: Compliance | Government Policy | Podcasts

Today's hearing on the security of the United States' critical infrastructure was as spirited of a Congressional hearing on cyber security issues that I have seen during my career, and it's clear that key Members of Congress from both political parties are running out of patience and want to see immediately cyber vulnerabilities taken more seriously in the bulk power industry in particular.

In a scathing opening statement, U.S. Representative Jim Langevin (D-RI), Chairman of the Subcommittee on Emerging Threats, Cybersecurity, and Science & Technology, said that "I think we could search far and wide and not find a more disorganized, ineffective response to an issue of national security." Referring to the bulk power industry's mitigation of a cyber vulnerability known as "Aurora", Langevin said "Everything about the way this vulnerability was handled -- from press leaks, to DHS's failure to provide more technical details to support the results of its test, to NERC's dismissive attitude, to the industry's half-hearted approach towards mitigation -- leaves me with little confidence that we are ready or wiling to deal with the cybersecurity threat."

"Aurora", a vulnerability that was discovered over a year ago in an experiment that was carried out by the Department of Energy's Idaho Lab, caused a power generator to self-destruct in a simulated cyber attack. As a result of the growing concern over potential disruptions to the nation's bulk power system, the U.S. Federal Energy Regulatory Commission (FERC) issued eight new mandatory critical infrastructure protection (CIP) reliability standards in January 2008. These standards were developed by the North American Electric Reliability Corporation (NERC), the self-regulating organization that is responsible for ensuring the reliability of the bulk power system in the U.S.

Today's hearing, titled "Implications of Cyber Vulnerabilities on the Resiliency and Security of the Electric Grid" featured the following witnesses: Joseph Kelliher, Chairman of the FERC; Richard Sergel, President and CEO of the NERC; Greg Wilshusen, Director of Information Security Issues at the Government Accountability Office; and William McCollum, Jr., COO of Tennessee Valley Authority (TVA). To view the opening statements and written testimony, use this link on the House of Representatives Homeland Security Committee website.

Several other Members of the Homeland Security Committee also strongly criticized the mitigation of cyber vulnerabilities to the electric power grid, with many of them aiming directly at Mr. Sergel and the NERC. U.S. Representative Bill Pascrell (D-NJ) suggested that the Committee hold NERC "in contempt" because of his concerns over "misleading information" that the Subcommittee had received during their investigation of these issues. Many others emphasized the importance of implementing the new FERC/NERC standards immediately and called for more regulatory authority to be given to the FERC to mandate compliance. Others suggested that the existing standards are inadequate and that more security controls suggested by the National Institute of Standards and Technology (NIST), and supported by the GAO, should be included in updated standards for the industry. Langevin said that "NERC can begin demonstrating its commitment by incorporating more of the NIST security controls in the next iteration of its reliability standards".

FERC Chairman Kelliher appealed to Congress to provide his organization more authority to enforce the new standards and said outright that the standards "are not as effective because they were voluntary" and that that approach has not worked. Congressman Langevin added: "If NERC doesn't start getting serious about national security, it may be time to find a new electric reliability organization."

What do you think should be done to improve cyber security within the bulk power industry? Other parts of our nation's critical infrastructure?

- S.L. Kellogg

Comments
Let's stop coddling the bulk power industry

If they aren't up to the task, let's take the decisions out of their hands and decentralize. Let's use the money we waste on bureaucracy that doesn't perform and put it into the hands of citizens to invest in solar and wind technology that is not grid dependant. This vulnerability is not just about keeping the lights on. It's about maintaining refrigeration of vital foods and medications. It's about heating and cooling homes in extreme weather patterns. It's about keeping well-pumps necessary for providing water to livestock operational. It's about keeping a homebound respiratory patient's oxygen flowing. Maybe they just don't get it. Electricity is basic. Maybe their undeserved taxpayer funded salaries leave them blind to reality. Clearly, all NERC is interested in doing is telling bulk power providers to cut trees.

That's essentially what I got from the testimony. NERC is not up to the task of rebuffing cyber-attacks on the grid.

- clydesclan

Post A Comment

Your Name
Your Email Publish email?: Yes No
Your Blog
Subject
Comment
Verification Word
© 2010 RSA Security. All rights reserved | Privacy | Legal | Site Map

RSA, The Security Division of EMC, provides Secure Data, Compliance, SIM, SEM, SIEM, PCI, Consumer Identity, Two-Factor Authentication, Custom Applications, Consulting, Assessment, and other security solutions and services to over 90% of the Fortune 500.
 
Access Control |  Authentication and Identity Assurance |  Credential Management |  Data Loss Prevention |  Data Encryption and Key Management |  Fraud Prevention |  Security Information and Event Management |  Log Management |  IT Compliance |  ISO 27002 Compliance |  Information Risk Management for Financial Services |  Payment Card Industry Data Security Standard | 
 
RSA Access Manager
RSA BSAFE
RSA eFraudNetwork
 RSA Data Loss Prevention
RSA Consumer Solutions
RSA FraudAction
 RSA Digital Certificate Solutions
RSA Encryption/Key Management
RSA Enterprise Data Security
 RSA enVision
RSA SecurID
RSA Smart Cards

 RSA Federated Identity Manager
RSA Adaptive Authentication