Critics: Cybersecurity standards for grid do not go far enough

Published 1 May 2009

Legislators introduce the Critical Electric Infrastructure Protection Act, would require FERC to issue updated regulations for the U.S. power grid within 120 days of enactment, but critics say the bill is too limited

Network security experts the other day questioned the effectiveness of a bill being submitted in Congress today that seeks to secure the nation’s electric grid from hackers and foreign spies. The bill, announced on Wednesday by Homeland Security Committee chairmen Joseph Lieberman in the Senate and Bennie Thompson in the House, would give powers to the Federal Energy Regulatory Commission, or FERC, to issue new orders or rules in the event of a national security threat.

MXLogic reports that the bill, called the Critical Electric Infrastructure Protection Act, would require FERC to issue updated regulations within 120 days of enactment. Under current law, a nongovernmental organization, the North American Electric Reliability Corporation (NERC), develops standards for power plants and transmission companies for FERC approval.

Michael Jacobs, a former cybersecurity official at the National Security Agency (NSA), said the bill doesn’t go far enough in compelling owners and operators of power plants to take more safety measures, according to a report on Nextgov.com. “The bill focuses entirely on requirements of the government - there’s nothing in there that obligates or enables the owners and operators of these facilities to upgrade their security,” Jacobs said, Nextgov.com reported. “There ought to be an obligation to put in place the necessary barriers to prevent an intruder from getting to the control systems themselves.”