This is the slightly unsettling story of two organizations, FERC and NERC, as they squabble over the pace of improving the cyber security of our electrical grid. For the energy acronym challenged, that's the Federal Energy Regulatory Commission (a part of the Department of Energy), and the North American Electric Reliability Corporation. And one more you're going to need to know before this is through: CIP = critical infrastructure protection.
In last week's HuffPo post: "A Less-than-Obvious Connection of Great Import: Secure the Smart Grid to Improve the Environment" I made the case that in order to lay the foundation for grid-scale renewable energy sources, we've got to ensure that the massive electric grid modernization project called the Smart Grid gives us a system that's at least as hard to disrupt via cyber attack as what we've had up until now, else no one's going to want to see it deployed.
While hundreds (and maybe thousands) of companies, associations, and federal, state and local government entities are involved in this process, the decisions and actions of FERC and NERC have a disproportionally large impact on the rest. And the problem is, they simply aren't getting along. While they're not exactly the Montagues and the Capulets, it seems that some blood may be spilled before this drama is fully played out.
This battle over how fast (FERC) or how slow (NERC) cyber security controls are added, and to how many or how few systems is being waged in public, and their communications on these matters are essentially open letters cc'd to the wider world.
Now, regulatory compliance and the desire to avoid fines aside, some utilities are working to make themselves more secure, some aren't. Some organizations consider risk management part and parcel of running a sound business; others stick their heads in the sand and hope for the best. Most utilities admit, however, that despite whatever reservations they may have with the current NERC CIP standards, that they are more secure today with them than they would be without them.
The case for going faster rests on a couple of basic facts and observations. Here are just a few:
Nevertheless, there's a strong case for going slower:
It didn't seem to work. Most of the operators of electrical generation equipment and many of the operators of electrical transmission systems continue to say they possess zero (or almost zero) assets critical to the reliable operation of the grid. When suicidal squirrels or low hanging branches touching a wire can trigger a blackout that impacts tens of millions of people, it's hard to understand the logic of these responses from the folks whose job it is to keep the power on 24/7/365.
Then in March of this year, FERC as bad cop, fired a shot across NERC's bow, saying, in essence, that it was mad as hell and not going to take (NERC's or the utilities' resistance) any more. To wit:
[FERC] said NERC's current rules do not provide a reasonable assurance that NERC is capable of complying with FERC reliability directives and that misuse of the NERC standards development process thwarts Congress' fundamental goal of instituting mandatory standards to protect reliability of the bulk power system.NERC stakeholders [can] veto a [FERC] directive by refusing to approve a new or modified reliability standard intended to comply with the [FERC's] directive. That happened recently when NERC attempted to develop a standard requiring each transmission and generator owner to determine the ratings of its bulk power system facilities. FERC issued the directive in 2007 and NERC has not yet complied with it.
And most recently, in an order issued last week (September 16th), FERC gave NERC a double smack down, denying requests for a rehearing and for additional delays to the timeline for improving the new security standards development process.
So something's got to give, and give it may, as just a few months ago the House of Representatives passed HR 5026, aka the GRID Act, which among other things allows FERC to bypass the NERC standards setting process and issue orders directly to utilities concerning security vulnerabilities not addressed by NERC's CIPS. With Senate approval, FERC may soon cut out the middle man altogether and impose its desire for more security sooner on the utilities, and utilities need to plan and prepare for this possibility.
If you'd like to see firsthand how the industry is handling this and other pressing Smart Grid issues, I recommend you get to (or at least pay attention to) the GridWise Global Forum coming up in DC September 21-23. Some of the most senior leaders in government and industry are going to be there. And who knows, with all this horsepower in one place, maybe they'll make some progress, even if they can't quite resolve the FERC-NERC dispute on cyber security. That's going to take some more time, and probably some pain, before it's settled. Until then, here's hoping that the current level of security being built into the Smart Grid is enough ... for the utilities ... and the rest of us.
If it's that easy to break by accident, you can bet the NSA, KGB, MI6, France, China, and that dweeby kid you hated in high school could do it on purpose.
You can't access your ATM and the bank can't access your account.
The Gas Stations can't pump gas.
The stores can't ring sales on their network.
Traffic screeches to a halt and first responders are tied up with accidents.
We are on our own and you may not even be able to leave town
if you can't get fuel when eventually your generator runs out of fuel.
If your car's digital controls fail, you're stranded.
Want to know more about what life would be like after an EMP? Read "One Second After" by Bill Forstchen and you will quickly understand why this bill needs to be passed NOW and why the danger increases with every day that passes that the grid remains unhardened.
RESTORE EMP PROTECTIONS AND PASS 1462 NOW
but a disturbing majority of Key Personnel are complete buffoons when it comes to understanding
computer security.
Key Personnel, who use their company laptops and desktops for shopping, surfing the net, e-mail entertainment, etc.
These laptops greatly compromised and the companies are in complete ignorant denial.
Even worse, the CIOs of these utilities refuse to spend the money to upgrade beyond XP Pro
because the IT staff prefers to stay in their Windows XP Certified comfort zone.
They will swear the really important control systems are not Windows based, but the supervisors
still use their laptops to access the network.
The software programs used on these critical control systems could be written better
by a 12 year old script kiddie with a clue.
The day of the big North East Blackout a few years back, every computer on the system
was infected with a trojan virus, shutting down and rebooting the computers.
No House bill will save us from ourselves - but treating our people better might. How about doing something about that incredible wealth disparity you guys have foisted upon us?
The US Senate Committee on Energy and Natural Resources ignored the unanimous bipartisan* endorsement of the U.S. House, two Congressional Commissions and the National Academy of Sciences, and threw out the House's protection from electromagnetic pulse (EMP) in HR 5026 for the Senate version of the bill (S.1462). BTW - When is the last time you saw the words "unanimous" and "bipartisan" when referring to a bill like this?
The House's bill protects the grid from nuclear and other physical attacks and great geomagnetic storms. The Senate committee deleted provisions re: EMP and those protecting the grid's large transformers and requiring adequate backup inventory.
The grid is most vulnerable to an EMP attack due to its age, a growing reliance on computer control systems (SCADA), and varrious methods of attack/damage, including from EMPs generated from hand-held weapons, high-altitude denotation of a nuclear bomb, and the sun.
Please use EMPact America's automated e-campaign to contact your Senators now using the following link, and ask them to adopt in S.1462 (or in a stand alone bill) the House's protection from EMP:
http://www.votervoice.net/Core.aspx?AID=1150&Screen=alert&IssueId=22654&SessionID=%24AID%3d1150%3aSITEID%3d-1%3aVV_CULTURE%3den-us%3aAPP%3dGAC%24)
To learn more about EMP and what you can do about it, please visit www.empactamerica.org. EMPact America is a non-partisan, non-profit organization for citizens dedicated to protecting America from a man-made or natural EMP catastrophe.