Part Three: A Problem of Authority

Of all the issues raised by the Department of Energy’s Office of Inspector General (OIG) in its January 2011 audit report on power grid cybersecurity, most, if not all, can be traced to a root cause cited in the report’s introduction: The fragmentation of authority among FERC, North American Electric Reliability Corporation (NERC), and industry.

The FERC, or Federal Energy Regulatory Commission, stated the report, “did not have the authority to implement its own reliability standards or mandatory alerts in response to emerging threats or vulnerabilities.” In instances where the commission did have authority to strengthen CIP (Critical Infrastructure Protection) standards, the report charged, “the Commission had not always acted to ensure that cyber security standards were adequate.”

Because it has no vehicle for providing input as standards are developed, the FERC can’t do much more than give the standards a thumbs-up or thumbs-down – and a thumbs-down means restarting another two-year development cycle. There’s no evidence to suggest the commissioners think a weak standard is better than two years with no standard at all, but the implication is there.

This is also a problem FERC can’t do much about, unless Congress decides to increase the commission’s authority over standards development.

Mark Weatherford isn’t sure more centralized authority would necessarily be the answer, if the OIG wants a system that can respond quickly to unanticipated threats – such as the July 2010 appearance of the Stuxnet worm, the first discovered malware to infiltrate and subvert industrial systems. Being too prescriptive could hamstring a company that needs to deal promptly with a previously unknown threat.

“I think if somebody has a program that’s efficient and meets all the existing standards, you have a fairly decent security program,” Weatherford said. “The current standards call for things like: You have to have a security policy in place. You have to have a security officer. You have to have antivirus software. You have to have a patch management program – a list of things that, quite frankly, most security programs have.”

Weatherford also points out that FERC, NERC, and industry are at the very beginning of an ongoing regulatory process, revising the nation’s first set of mandatory cybersecurity standards for a very diverse bulk power industry. “The standards are an attempt to develop a baseline of security controls that fit a wide, wide, wide variety of different systems and applications and hardware,” Weatherford said. “They’re not meant to be comprehensive security controls that mitigate every type of vulnerability or weakness in a system.”

Will Version 4 of the CIP standards put these concerns to rest? Brattini thinks it’s unlikely. “The standards as they are now are what the industry has accepted,” he said. The bulk power industry is eager to point out that the power grid has operated fairly well since the 1890s, with a limited number of major blackouts. It’s hard to imagine, however, that a coal-plant operator from the Gilded Age, even one with several Ph.D.s, could begin to get his mind around the Stuxnet worm. The new reality – a bulk power industry increasingly reliant on IP networks and the Internet – will continue to place much greater burdens on its owners and operators, and on the commission charged with regulating them.