Image

FERC Order for Deficient Cybersecurity Standards Leaves Grid at Risk

March 2, 2016
The newly ordered NERC cybersecurity standard would exempt significant points of vulnerability, including communications between control rooms and grid substations, according to the Foundation for Resilient Societies.

In the wake of the recent cyberattack on the Ukrainian power grid and numerous cyberattacks on databases used by U.S. government and industry, the Federal Energy Regulatory Commission recently ordered an electric grid cybersecurity standard to be set by the North American Electric Reliability Corporation. However, the newly ordered NERC cybersecurity standard would exempt significant points of vulnerability, including communications between control rooms and grid substations, according to a release from the Foundation for Resilient Societies.

On Feb. 22, 2016, the Foundation for Resilient Societies filed an administrative Request for Rehearing with FERC, asking that FERC Order 822 be reconsidered. The text of Resilient Societies’ petition to FERC can be downloaded at Cybersecurity Request for Rehearing.

Under provisions of Federal Power Act amendments of August 2005, FERC reviews and approves grid cybersecurity standards set by NERC, a private non-profit corporation. NERC is governed by vote of its members; approximately 70% of NERC members are representatives of electric utilities.

The Federal Power Act authorizes FERC to ensure that interstate electricity transmission systems are protected against cybersecurity incidents. In particular, Congress has given FERC authority to ensure protection of the grid’s programmable electronic devices and communications networks. But FERC has approved five sets of NERC Critical Infrastructure Protection (CIP) standards containing an exemption for grid communications networks.

The newly ordered NERC standard would still exempt protection of communications between control centers and substations. Ironically, industry standards require encryption of credit card information transmitted over the public internet, but the same is not true for communications between grid control centers and substations. When hackers attacked the Ukrainian power grid, they attacked control centers, and service call centers, and substations.

In its recent Order 822, FERC has also failed to order the removal of embedded malware in grid equipment, despite public testimony at FERC’s January 29 technical conference that malware infections are common.

The Foundation for Resilient Societies is a Nashua, New Hampshire-based nonprofit group that conducts research and education on cyber-protection of critical infrastructure.

Voice your opinion!

To join the conversation, and become an exclusive member of T&D World, create an account today!