NERC approves strengthened cyber security standards
The North American Electric Reliability Corp.’s (NERC) independent Board of Trustees last week approved eight revised cyber security standards; entities found in violation of the standards can be fined up to $1 million per day, per violation in the United States
Chinese hackers have managed to penetrate the control systems of the U.S. electric power grid, and, what is more, leave behind “sleeper” malware for future activation for as-yet-unknown purpose. Those in charge of the U.S. grid do not sit still. Eight revised cyber security standards for the North American bulk power system were approved by the North American Electric Reliability Corp.’s (NERC) independent Board of Trustees last week. The action represents the completion of phase one of NERC’s cyber security standards revision work plan, which was launched in July 2008. Work continues on phase two of the revision plan, with version three standards already under development.
The revised standards were passed by the electric industry last week with an 88 percent approval rating, evidence of the industry’s strong support for NERC’s standards development process and the more stringent standards.
The standards comprise approximately forty “good housekeeping” requirements designed to lay a solid foundation of sound security practices that, if properly implemented, will develop the capabilities needed to secure critical
infrastructure from cyber security threats. Roughly half of those requirements were modified to clarify or strengthen the standards in this initial, expedited revisions phase.
The revisions begin to address concerns raised by the Federal Energy Regulatory Commission (FERC) in its Order No. 706, in which it conditionally approved the standards currently in effect. The revisions notably include the removal of the term “reasonable business judgment” from the standards.
Entities found in violation of the standards can be fined up to $1 million per day, per violation in the United States, with other enforcement provisions in place throughout much of Canada. Audits for compliance with thirteen requirements in the cyber security standards currently in effect will begin on 1 July 2009.
“The approval of these revisions is evidence that NERC’s industry-driven standards development process is producing results, with the aim of developing a strong foundation for the cyber security of the electric grid,” commented Michael Assante, vice president and chief security officer at NERC. “We applaud the work of the standards drafting team leading this effort and look forward to presenting phase two of the revisions to the board for approval early in 2010.”
“It’s important to note, however, that these standards are not designed to address specific, imminent cyber security threats,” he continued. “We firmly believe carefully crafted emergency authority is needed at the government level to address this gap.”
The drafting team leading NERC’s cyber security standards revision efforts is comprised of twenty-four cyber security experts from across the electric industry.
