By Ellen Messmer
In an effort to improve security in the nations electric power grid, the
Washington-based Federal Energy Regulatory Commission is poised to issue
new rules to compel energy companies to use practices such as patch
management and strong authentication to secure their industrial control
systems against attackers, sabotage and unauthorized use.
If FERC at its Dec. 20 meeting approves the so-called Critical
Infrastructure Protection (CIP) standards for physical and cybersecurity
of the electric power grid, it will flip the switch on a regulatory
regime where electric-power companies have to ensure the most critical
parts of their system control and data-acquisition (SCADA) systems meet
security requirements more associated with corporate computer best
But because many SCADA systems in place today to control the bulk-power
grid may not be readily adapted for cybersecurity protection, IT
managers at energy companies say they face the prospect of a wholesale
replacement of their SCADA systems to meet regulatory goals.
There are SCADA systems out there for forty or fifty years and theyre
running fine, says Patrick Miller, chair of the electric-utility user
group called Energy Security Northwest, whose membership hails from 20
utilities. The energy companies across the country, he says, expect the
upcoming FERC decision to influence whether they will need to wholly
replace SCADA systems to meet new security regulations.
Some energy companies say it seems unavoidable. The almost 20-year-old
control systems made by Televant Farradyne used by the Eugene Water &
Electric Board in Oregon to throw switches and move power are going to
be phased out, though replacements havent been selected yet, says senior
security specialist Mark Ellister. This is ancient technology, you cant
patch this, says Ellister.
To add to the anxiety, even as FERC prepares to establish new security
rules for the electric power industry as it must under a Congressional
law passed in 2005, its unclear whether the commission will adopt
outright the eight CIP standards that were proposed last year by the
organization called the North American Electric Reliability Corp.
(NERC). FERC chose NERC to do the job of submitting standards and later
start auditing for them and looking for possible violations, which could
mean steep fines, over the next few years.
Joseph McClelland, director of the newly formed Office of Electric
Reliability at FERC, recently told Congress it may ask NERC to tighten
the proposed standards, which as now written allow for some laxness in
following them, especially if theyre not technically feasible for legacy
equipment which cant be upgraded to meet cybersecurity requirements.
If this equipment is left vulnerable, it could be the focal point of
efforts to disrupt the grid, McClelland told Congress in October.
In addition, the National Institute of Standards and Technology (NIST)
is arguing that it should be the one setting the standards. NIST has
clear authority to set security standards for both the business and
SCADA systems in federally operated electric utilities such as the
Tennessee Valley Authority and Bonneville Power Authority, notes Stuart
Katzke, senior research scientist at NIST.
The federal ones have to meet the NIST standards guidelines, says
Katzke. They also have to meet FERCs regulations, whatever they will be.
NIST wants FERC to approve NIST security guidelines for industrial
controls, which are out for comment until mid-December. NIST says its
proposed standards are tougher and better than the ones proposed by
Where is SCADA security?
Caught in the middle of this power struggle, the industrys IT managers
say that many SCADA systems in use today, whether based on Windows, Unix
or older proprietary operating systems, simply arent designed to
accommodate processes like patch management in the round-the-clock
operations of managing the nations power grid.
Plus giant SCADA systems traditionally arent just swapped out. With
SCADA, you do it with very small pieces over a very long period of time,
Miller says. It runs the power grid.
Miller says the older workhorse systems and even new equipment seldom
meet the high expectations of the eight CIP standards under review by
FERC, which may take a hard line in not allowing exceptions.
Miller adds hes seen scant evidence that SCADA manufacturers, other than
Schweitzer Engineering Laboratories, are seeking to adapt to the new
The American Public Power Association (APPA), the Washington-based trade
association representing 2,000 publicly operated utilities, supports the
security standards effort but hopes FERC will allow a technical
feasibility exception for older equipment in substations and generating
plants which is incompatible with certain cyber-security measures,
including software updates and patches.
Utilities should be able to take advantage of the useful life of
existing equipment from a reliability standpoint, APPA said in its
official comments to FERC. APPA also noted there are risks with using
vendor patches as well as using software with a known flaw.
Even NERC, whose executive vice president, David Wheatley, testified
before Congress in October, expressed worry that promulgating standards
for the bulk power system that draw too closely on the standards
appropriate for secured business systems could result in a less reliable
bulk-power system, either because of decreased operations or decreased
Wheatleys testimony cited as examples how use of password-protected
screen savers could block visibility of real-time operations that have
to be constantly observed, or mistyped passwords could lock out access
to operations controls. NERC declined to discuss this but said the
Congressional testimony reflects its current views.
Allen Mosher, APPAs senior director of policy analysis, said the
security standards process is likely to be one that gets updated every
three years or so, and the NIST proposals might get adopted over time.
Whatever the outcome of the FERC security standard rule-making, there
will be a lot at stake as NERC starts to do audits over the next two
years or so and reports any security violations and noncompliance to
Fines could be up to $1 million per day per violation, Mosher concluded.
All contents copyright 1995-2007 Network World, Inc.
Visit InfoSec News