Public Power Daily Logo

Cybersecurity panel calls for industry and government collaboration, quicker information-sharing

From the April 8, 2013 issue of Public Power Daily

Originally published April 8, 2013

By Fallon Forbush
Communications Assistant
It is estimated that 70 to 80 public power utilities need to comply with version three of the North American Electric Reliability Corp.’s (NERC) Critical Infrastructure Protection (CIP) standards, said APPA Director of Electric Reliability Standards and Compliance Nathan Mitchell. But more will have to comply in the future, he said. 

"I want everyone to understand, CIP standards are a small universe of public power," he said, but "that number will grow." He spoke at a seminar, "Cyber Security: Legislation, Regulation and Executive Orders, Oh My!" last month during APPA’s 2013 Legislative Rally in Washington, D.C.

NERC in 2006 released CIP standards to which all NERC-registered entities must comply upon meeting certain requirements. The third version of the standards are in effect now; however, version four will be enforced beginning April 1, 2014 and version five has been filed with FERC with an estimated effective date in 2016, said Mitchell.

"We’ve asked for quick implementation, but it’s all in FERC’s hands," said Mitchell.

The fifth version calls for brightline criteria with high- medium- and low-impact categories. The requirements are similar to the version three requirements, Mitchell said.

"All cyber systems controlling a brightline designated asset must have some cyber protections," said Mitchell. In version four, brightline assets are generally defined as:
•    generation above 1,500 MW;
•    a blackstart resource and cranking paths; and
•    transmission systems above 200 KV.

The NERC standards create a culture of internal checks that can adapt to change and recognize vulnerabilities, Mitchell said. "The standards are a base," he said. "You can’t chase adversaries with standards," he added. "But these are good practices ... You have to have good hygiene."

Other panelists across the industry participated at the March session, including staff from the Edison Electric Institute (EEI) and the National Rural Electric Cooperative Association (NRECA). The panel called for good "cyber hygiene" and a culture of security and reliability, rather than a culture of compliance.

"We already have a regulator and enforceable standards," said Laura Schepis, senior principal of government relations for NRECA. "We do a good job, but we [government and industry] need to share information." Legislation that would enable quicker information-sharing would "help us do a better job," she said.

"We’re going to have to be continuously reacting to new information," said Schepis.

The cybersecurity panel likened good cyber hygiene to immunizations; a utility can take them, but the shots won’t guarantee that it will not become sick. 

"There is not a 100 percent solution," said Scott Aaronson, director of governmental affairs for EEI.

The White House released an executive order on Feb. 13, calling for increased information-sharing between the government and private sector about cyber threats (see the Feb. 14 Public Power Daily). The order also called for the National Institute of Standards and Technology (NIST) to lead the development of a framework of cybersecurity practices. 

"Government and industry each has a role to play," Aaronson said. "Government is responsible for security [of critical infrastructure]; we’re good at running our systems and identifying risks. We need to work together."

The panel called for better communication among utilities. 

With most utilities, responsibilities for cybersecurity lie with the information technology departments, said Puesh Kumar, APPA’s director of engineering and operations. But those roles are changing, he said. 

Engineers are encountering and detecting cybersecurity concerns as well, Kumar said. "Utilities are evolving from IT-based to industrial control centers that need to communicate with each other," he said. 

Utilities are increasingly sharing services to run their enterprise and control operations, he said. IT systems that run accounting, human resources and website technologies often share telecom, customer service and location information with utility operations, such as SCADA (supervisory control and data acquisition), distribution automation, AMI (automated metering infrastructure) and MDM (meter data management) systems. Cyber threats can enter a utility from both the enterprise and operations ends, he said.

"The attack surface for utilities is increasing," Kumar said. "We can’t be 100 percent secure, but we can build layers of protection into our systems." He said a cybersecurity plan should outline:
  • Roles and responsibilities;
  • Vulnerability assessments;
  • Awareness and training;
  • Policies and procedures; and
  • Technical security controls.
Top management should also be involved in the plan, Kumar said.

The APPA Product Store is offering a new publication for utilities, "Cyber Security Essentials: A Public Power Primer," that provides case studies and recommendations for developing cybersecurity policies and procedures. The author of the primer, Doug Westlund, has advised utilities to run their computer systems on separate networks—one for enterprise (billing, engineering, desktop users) and one for operations (substation, SCADA, metering, distribution, generation and transmission). (See Public Power Daily, June 19, 2012.)

On Feb. 12, APPA sent a letter to Reps. Ed Markey, D-Mass., and Henry Waxman, D-Calif., regarding cybersecurity policies. APPA has urged Congress to consider legislation without placing an unnecessary burden on the industry.

William Coffman, APPA’s senior government relations representative, and Joy Ditto, the association’s vice president of government relations, handle cybersecurity policy matters for APPA.



Be the first to rate this item!

Please Sign in to rate this.


  Add Your Comment

(1000 of 1000 characters remaining)

Senior Vice President, Publishing 
Jeanne Wickline LaBella

Editorial Director
Robert Varela

Editor, Public Power Daily
Jeannine Anderson

Communications Assistant
Fallon W. Forbush

Manager, Integrated Media 
David L. Blaylock

Integrated Media Editor 
Laura D’Alessandro