FERC approves eight critical infrastructure protection standards

The U.S. Federal Energy Regulatory Commission (FERC) has now approved eight standards aimed at protecting the national electricity grid from cyber attack. They tackle access control, software and data system vulnerabilities. The new standards are mandatory and will be enforced by the FERC. As we reported last week, the CIA — probably coincidentally — took the unusual step of making a public statement about cyber attacks on foreign electricity grids. Tom Donahue, a senior analyst with the CIA, told a conference that the CIA had evidence of successful cyber attacks launched across the Internet disrupting power supplies, and that in one case it caused an outage in several cities. In several cases the attacks were followed by extortion demands.

Ovum comments that the CIA report confirms yet another case of a long known theoretical threat turning into a reality. It does not name the victims, but countries within the former Soviet Union are likely candidates. The linkage with extortion indicates that this is the work of criminal gangs, but governments and terrorist organizations could adopt similar tactics in future disputes. Protecting critical national infrastructure has become a higher priority. Some people have questioned whether the existing SCADA (System Control And Data Acquisition) systems are capable of being upgraded to meet the FERC requirements — and the directive could lead to accelerated system upgrading. The issues are common to communications, utilities, energy, finance, and transport systems — not just electricity.

Recall the HS Daily Wire’s unofficial motto: Show us a security need and we’ll show you a business opportunity. Ovum agrees: “There is a commercial opportunity for the IT suppliers to step up to the challenge of delivering secure SCADA systems.” Exactly.