FERC seeks industry cyber-security plans

Published 14 December 2007

Earlier this year, government scientists hacked into a simulated power-plant control system and caused an electric generator to destroy itself; as worries about the vulnerability of the U.S. power grid to cyber attacks grow, regulators demand that utilities submit detailed reports about their progress in addressing potential cybersecurity vulnerabilities

We have written about the vulnerability of the U.S. power grid system to deliberate disruption through concerted cyber attacks. Federal energy regulators earlier this week have asked the White House to approve a rule requiring the electric industry to submit detailed reports about its progress in addressing potential cyber-security vulnerabilities. AP reports that in its order asking the Office of Management and Budget (OMB) to approve the new requirement, the Federal Energy Regulatory Commission (FERC) cited the ability of government scientists earlier this year to hack into a simulated power-plant control system and cause an electric generator to destroy itself. “The commission intends to immediately issue a directive that requires all generator owners, generator operators, transmission owners and transmission operators that are registered by the North American Electric Reliability Corp. [NERC] and located in the United States to provide to NERC certain information related to actions they have taken or intend to take to protect against’ similar cyber vulnerabilities,” the notice said. FERC will require NERC, which oversees North America’s electricity grid, to make the information available for review, and expects about 1,150 responses at a total cost of more than $1.2 million to the industry. Among the companies that NERC oversees are Duke Energy (NYSE: DUK PRA) (NYSE: DUK), Dominion Resources (NYSE: D PRA) (NYSE: D), Constellation Energy Group (NYSE: CEG), and Exelon (NYSEEXC)

The power grid, generating plants, and refineries face increasing threats from hackers who could cause major disruptions and economic chaos in the United States, according to congressional investigators. The Government Accountability Office (GAO) in October said control systems at those critical facilities “are more vulnerable (today) to cyber attacks than in the past.”

Greg Garcia, assistant secretary for cybersecurity at DHS told lawmakers the agency was working with others on standards and guidance to protect critical control systems, but that it was the FERC’s responsibility to get more stringent standards to industry. NERC already has asked its industry members provide information on the vulnerability exploited by the government scientists, but that’s apparently not enough. It is “‘essentially a request that industry members indicate if their mitigation plans are ‘complete,’ ‘in progress,’ or ‘not performing,’” according to the FERC’s order. “Given the seriousness of this potential vulnerability and given that the NERC data request does not provide information that the commission needs to discharge its statutory responsibilities, the commission believes further action is necessary in order to ensure that the owners and operators of the bulk-power system have taken or are taking appropriate steps to protect (it),” the order said.