Public Power Daily Logo

Electricity groups applaud NIST effort to carry out presidential order, but ask agency to avoid prescriptive approach


From the April 15, 2013 issue of Public Power Daily

Originally published April 15, 2013

By Jeannine Anderson
Editor
Consumer-owned utilities in the United States support the National Institute of Standards and Technology's efforts to develop a "cybersecurity framework" that is consistent with an executive order on cybersecurity that President Obama issued in February, APPA and other utility groups told NIST earlier this month.

The comments were filed on April 8 by APPA, the Large Public Power Council, the National Rural Electric Cooperative Association and the Transmission Access Policy Study Group. They were responding to NIST's Feb. 26 request for information on "Developing a Framework to Improve Critical Infrastructure Cybersecurity."

APPA and the other organizations represent utilities that will be asked to adopt any voluntary industry standards, methodologies, procedures and processes that are developed under the cybersecurity framework called for by the president in the order he issued on Feb. 12.

"Our respective member electric utilities provide highly reliable and affordable electric service to their customers," APPA and the other groups told NIST. These utilities "have a long history of reliability excellence and a proven commitment to maintaining high standards as technology evolves" and cybersecurity is central to their day-to-day operations, the four associations said.

The electricity trade associations said they "vigorously support the provisions in the executive order furthering information-sharing by government agencies with critical infrastructure owners and operators." In particular, they said, they welcome the order's directive to the attorney general and the secretary of Homeland Security to establish "a process providing for the rapid dissemination of unclassified and classified information relevant to cyber vulnerabilities."

In the past, "much of this information has been shielded from entities seeking to manage cyber vulnerabilities," said APPA and the others. "Establishing strong public-private information-sharing practices between federal government agencies charged with ensuring domestic security, the intelligence community and industry is essential in protecting critical assets from intrusion and disruption."

As electric utilities that own or operate facilities that are part of the bulk electric system and subject to Section 215 of the Federal Power Act, many of the trade associations' members are subject to reliability standards developed by the North American Electric Reliability Corp. and approved by the Federal Energy Regulatory Commission.

Although they see "significant value" in the NIST proposal to develop a cross-sector cybersecurity framework that would establish a voluntary baseline for efforts to mitigate risk, APPA and the other groups said they "strongly counsel NIST to recognize the breadth and depth of NERC's existing Critical Infrastructure Protection (CIP) standards, and ensure that the NIST framework steers clear of conflict or duplication."

The electricity associations pointed out that NERC's CIP reliability standards impose mandatory requirements on owners and operators of the bulk electric system, enforceable by penalties of up to $1 million per violation, per day. The NERC CIP standards are comprehensive, covering both cybersecurity and the physical security of cyber systems used to control the bulk electric system, APPA and the others said. 

They urged NIST to structure the new cybersecurity framework so it will provide "a flexible path" rather than "a set of rules for which a passing or failing grade is assessed." A flexible, process-oriented approach is suggested by the constantly evolving nature of cyber threats, they said. "An overly prescriptive approach would result in guidelines destined to be outdated in short order."

The electricity groups believe the most immediate need "is for the provision of timely, actionable information regarding existing and emerging threats and vulnerabilities, and sound input regarding appropriate responses," said APPA and the others. Utilities recognize the need for a clearinghouse for timely information, they said. 

"This type of clearinghouse has been developed within the utility subsector, but needs to be expanded to include other business sectors and, most importantly, the federal government and its intelligence services," they told NIST. "Accordingly, the electric trade associations place high on the list of challenges the need for information-sharing between the federal government, intelligence community and the private sector, and the timely dissemination of actionable information on emerging threats and vulnerabilities as well as responses." 

The comments, which fill 17 pages, are posted on the Hub, APPA's online discussion area.

Ratings

Be the first to rate this item!

Please Sign in to rate this.

Comments

  Add Your Comment

(1000 of 1000 characters remaining)

Senior Vice President, Publishing 
Jeanne Wickline LaBella
202/467-2948
JLaBella@publicpower.org

Editorial Director
Robert Varela
202/467-2947
RVarela@publicpower.org

Editor, Public Power Daily
Jeannine Anderson
202/467-2977
JAnderson@publicpower.org

Communications Assistant
Fallon W. Forbush
202/467-2958
FForbush@publicpower.org

Manager, Integrated Media 
David L. Blaylock
202/467-2946
DBlaylock@publicpower.org

Integrated Media Editor 
Laura D’Alessandro 
202/467-2955 
LDAlessandro@publicpower.org