Efforts to Secure Nation’s Power Grid Ineffective
The official government cybersecurity standards for the electric power grid fall far short of even the most basic security standards observed by noncritical industries, according to a new audit.
The standards have also been implemented spottily and in illogical ways, concludes a Jan. 26 report from the Department of Energy’s inspector general (.pdf). And even if the standards had been implemented properly, they “were not adequate to ensure that systems-related risks to the nation’s power grid were mitigated or addressed in a timely manner.”
At issue is how well the Federal Energy Regulatory Commission, or FERC, has performed in developing standards for securing the power grid, and ensuring that the industry complies with those standards. Congress gave FERC jurisdiction in 2005 over the security of producers of bulk electricity — that is, the approximately 1,600 entities across the country that operate at 100 kilovolts or higher. In 2006, FERC then assigned the North American Electric Reliability Corporation (NERC), an industry group, the job of developing the standards.
The result, according to the report, is deeply flawed.
The standards, for example, fail to call for secure access controls — such as requiring strong administrative passwords that are changed frequently. or placing limits on the number of unsuccessful login attempts before an account is locked. The latter is a security issue that even Twitter was compelled to address after a hacker gained administrative access to its system using a password cracker.
The report is particularly timely in light of the discovery last year of the Stuxnet worm, a sophisticated piece of malware that was the first to specifically target an industrial control system — the kind of system that is used by nuclear and electrical power plants.
The security standards, formally known as the Critical Infrastructure Protection, or CIP, cybersecurity reliability standards, were in development for more than three years before they were approved in January 2008. Entities performing the most essential bulk electric-system functions were required to comply with 13 of the CIP requirements by June 2008, with the remaining requirements phased in through 2009.
The report indicates that this time frame was out of whack, since many of the most critical issues were allowed to go unaddressed until 2009. For example, power producers were required to begin reporting cybersecurity incidents and create a recovery plan before they were required to actually take steps to prevent the cyber intrusions in the first place — such as implementing strong access controls and patching software vulnerabilities in a timely manner.
The standards are also much less stringent than FERC’s own internal security policy. The standards indicate passwords should be a minimum of six characters and changed at least every year. But FERC’s own, internal security policy requires passwords to be at least 12 characters long and changed every 60 days.
One of the main problems with the standards seems to be that they fail to define what constitutes a critical asset and therefore permit energy producers to use their discretion in determining if they even have any critical assets. Any entity that determines it has no critical assets can consider itself exempt from many of the standards. Since companies are generally loathe to invest in security practices unless they absolutely have to — due to costs — it’s no surprise that the report found many of them underreporting their lists of critical assets.
“For example, even though critical assets could include such things as control centers, transmission substations and generation resources, the former NERC Chief Security Officer noted in April 2009 that only 29 percent of generation owners and operators, and less than 63 percent of transmission owners, identified at least one critical asset on a self-certification compliance survey,” the report notes.
Refer here to download the report.