Locking the Grid
The recently passed energy bill includes provisions requiring that power companies adhere to mandatory reliability standards, standards that explicitly encompass cybersecurity protections. Furthermore, both the standards and the organization setting the standards would be under direct federal supervision
The Energy Policy Act of 2005 requires that the Federal Energy Regulatory Commission (FERC) certify an Electric Reliability Organization (ERO) which would establish and enforce "reliability standards for the bulk-power system, subject to Commission review." The term reliability standards is defined as including "cybersecurity protections." The legislation provides further explication by defining "reliable operation" as meaning that system failure "will not occur as a result of a...cybersecurity incident..."
Cybersecurity incident is defined by the law to mean "a malicious act or suspicious event that disrupts, or was an attempt to disrupt, the operation of those programmable electronic devices and communication networks including hardware, software and data that are essential to the reliable operation of the bulk power system."
The North American Electric Reliability Council, the organization mostly likely to be certified by FERC as the ERO, has already published the "third draft of its voluntary cybersecurity guidelines to guard against hackers, viruses and other computer attacks..." Now, however, the organization's standards will need to be mandatory not just voluntary. Furthermore, as required by the legislation, the standards and the Council's role as ERO will be subject to FERC's direct supervision.
Overall, the legislation appears to do a good job at balancing the vital role of the private sector in setting and enforcing standards with the need for federal oversight.
See FERC Energy Policy Act web page
See article in Washington Technology
|