With growing concern over nation-state cyber attacks comes an increasing need to secure the critical infrastructure. In the Quadrennial Energy Review published in January 2017, the U.S. Energy Department wrote, “Cyber threats to the electricity system are increasing in sophistication, magnitude, and frequency.” The reliability of the electric system underpins virtually every sector of the modern U.S. economy, it warned.
In response to such concerns, the Federal Energy Regulatory Commission (FERC) yesterday proposed new cyber security management controls to enhance the reliability and resilience of the nation’s bulk electric system.
“FERC proposes to approve Critical Infrastructure Protection (CIP) Reliability Standard CIP-003-7 (Cyber Security ñ Security Management Controls), which is designed to mitigate cyber security risks that could affect the reliable operation of the Bulk-Power System,” it announced.
The new standard will particularly improve on existing standards for access control, “by clarifying the obligations that pertain to electronic access control for low-impact cyber systems; adopting mandatory security controls for transient electronic devices, such as thumb drives and laptop computers; and requiring responsible entities to have a policy for declaring and responding to CIP exceptional circumstances related to low-impact cyber systems.”
The FERC statement also proposes that the North American Electric Reliability Corp (NERC) should develop criteria for mitigations against the risks resulting from any malware that could come from third-party transient devices. “These modifications will address potential gaps and improve the cyber security posture of entities that must comply with the CIP standards,” said FERC.
While there have been few known successful attacks against the U.S. critical infrastructure, concern has grown dramatically with increasing geopolitical tensions, and the more open attribution of specific cyber attacks to specific foreign nations. The activities of Russia, Iran and North Korea are concerning. Russia is openly blamed for the DNC breaches, NotPetya and the attacks against the Ukrainian power systems; North Korea has been blamed for the Sony breach and numerous attacks against South Korea; and Iran has been accused of attacks against aerospace and energy companies.