Thursday, March 6, 2014

New Policy Approaches to Address Cyber Threats Impacting the Electric Grid

In February the Bipartisan Policy Center released a report focused on cybersecurity and the North American Electric grid.  At first I was worried that this report would be another collection of the same ol' ideas of leaning on the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards as the panacea -- fortunately, this report is very good and really has some excellent ideas to help protect the electric grid from and during a cyber attack.

In a simple way I'd strongly suggest you skim this report if you are in any way/shape/form involved with electric grid cybersecurity defense, policy, funding or response.

The key areas of discussion in the report include:

  • The Existing Landscape for Electric Grid Cybersecurity Governance
  • Standards and Best Practices for Cybersecurity
  • Information Sharing
  • Responding to a Cyber Attack on the North American Electric Grid
  • Paying for Electric Grid Cybersecurity
The report is very refreshing and offers some new ideas on ways to defend the grid and respond to cyberattacks.  

One idea that has some merit is the concept of implementing an "Institute" similar to the Institute of Nuclear Power Operations (INPO) that would focus in continuous improvement of cybersecurity of the electric grid.  I sent the following email to one of the Advisory Board members supporting this idea.  In my email I observed:

The Institute of Nuclear Power Operations (INPO) was used as a model agency for oversight of the security of the grid.  I worked at INPO from 1986 to 1992 and when I left I was the Secretary of the Corporation and an evaluation Team Manager.  

Of note, the recently published Cybersecurity Framework (CSF) has an approach very similar to INPO's.  That is the CSF is "performance-based" rather than "compliance-based" which is an approach that INPO pursued.  INPO published a document entitled Performance Objectives and Criteria for Operating and Near-Term Operating Nuclear Plants that really focused on what would be viewed as optimal performance in particular areas (e.g., management, administration, operations, maintenance, etc.) with a collection of criteria that supported the performance objectives (similar to the CSF).  However, the process was not focused on compliance to the performance objectives but instead to how the plant truly performed.

An example to demonstrate this approach would be relative to CIP-008, incident response.  The NERC approach to reviewing CIP-008 is to actually sight the utility's incident response procedure; however, they do not check to see that it actually is a workable, accurate document (i.e., are the phone numbers/email addresses accurate, can it truly be used as written, is it practiced, etc.).  On the other hand the INPO approach would be to view the document but with emphasis on watching the utility perform the incident response process and observe strengths, weaknesses, etc. and highlight areas needing improvement.

In other words the assessment was based on the true performance of the utility; not a simple view of its paperwork -- a serious flaw with the NERC approach (in my opinion).

I am very pleased with the tone, content and ideas put forth in this report and I look forward to the "new" dialogue that surfaces in this domain different from the old, stale ideas that really don't solve the problem for the entire electric grid from generator to transmission line to distribution system to the toaster in your home.

Again, compliments to the authors and advisory group on this report!