“Electric Grid Vulnerability: Industry Responses Reveal Security Gaps,” by the staffs of U.S. Reps. Ed Markey (D-Mass.) and Henry Waxman (D-Cal.), resulted from a survey of more than 100 utilities. The report and the contemporaneous House Energy and Commerce Committee hearing on “Cyber Threats and Security Solutions” are indicators of the level of legislative and regulatory attention to these issues. The report’s findings included:
- Attacks on critical infrastructure, including energy, are up 68 percent from 2011 levels
- Many utilities reported “daily,” “constant,” or “frequent” attempted cyber attacks ranging from phishing to malware infection to unfriendly probes
- The rate of cyber attacks against American corporate and government infrastructure is on the rise and unlikely to abate
The report also found that most utilities only comply with mandatory cybersecurity standards, and have not implemented voluntary NERC recommendations regarding general or specific threats (e.g., Stuxnet). That finding may provide a basis for renewed efforts to expand mandatory standards for power companies, citing to an alleged failure of self-regulation. In presenting the report to the committee, Rep. Waxman noted:
“The failure of utilities to heed the advice of their own industry-controlled reliability organization raises serious questions about whether the grid will be adequately protected by a voluntary approach to cybersecurity. When specific threats arise, prompt action is needed. But utilities are apparently not responding to the alerts from this organization” – meaning NERC.
This approach is inconsistent with the voluntary standards process outlined in the critical infrastructure executive order issued earlier this year, and the work currently being conducted by the National Institute of Standards and Technology (NIST) as a result. Many utilities responded to the NIST Request for Information earlier this year, and the initial draft of the Cybersecurity Framework is expected to be produced in July. NIST is currently conducting a workshop at Carnegie Mellon University. A plenary session held on May 29, presented the “NIST Preliminary Analysis of Comments.” The workshop's plenary sessions will be available for playback approximately one week after the event and may provide the best indication of the direction the Framework will take.
Whether cybersecurity standards for the utility industry are mandatory or voluntary, some form (promulgated by NIST or FERC or both) is almost certain to be well underway by the end of the year. Even if they are not mandatory, they will arguably reflect good industry practice. Accordingly, any utility that suffers some form of data breach or service interruption may be held to those standards by regulators or courts. It may be prudent to stay abreast of the development of the standards and include them in internal policies, training and standards.