New law may tighten power plant security

Part of the 1,724-page energy bill that President Bush signed last week calls for federal bureaucrats to create an "electric reliability organization" that would draft mandatory standards--including cybersecurity guidelines--for electric power system operations.

The Federal Energy Regulatory Commission, or FERC, would be tasked with setting standards to prevent system instability or failures that can be tied to a "sudden disturbance, including a cybersecurity incident." FERC may impose penalties for violations and has 180 days to begin the process of certifying the reliability organization.

The new regulations come about three months after a Government Accountability Office report cited "a general consensus--and increasing concern" among officials that systems controlling utility infrastructures face real threats of attack.

A visit from the Slammer worm, for instance, may have been in part to blame for failures at a nuclear power plant in 2003, the report said. And in March, electric industry security consultants reported numerous intrusions into control systems. No serious damage was done, they said, but the activity "heightened concerns" about future foul play.

One of the reasons why the control systems are so vulnerable is that they're increasingly being connected to private networks that use the Internet, so that they can be managed remotely, the GAO report said.

The current computer system used by utilities and public transportation facilities was not designed with the Internet in mind, said Clarence Morey, senior manager for product strategy at Internet Security Systems, a company that counts public utilities among its clients.

"As companies connect these systems to the Net to allow remote access or drive efficiency, they're opening themselves up to risk," Morey said.

Morey said his company supported the new legislation, adding that a "three-legged stool" composed of technology, legislation and good policy is the way to fend off attacks.

Right now, no mandatory cybersecurity standards exist for power grid operators, but many of them adhere to voluntary ones set by the North American Electric Reliability Council, said council spokeswoman Ellen Vancko. The council, which first adopted 24 pages of cybersecurity guidelines in 2003, is on its third draft of permanent, "more defined" standards, she said.

Vancko said she expects that FERC will certify the council as its official Electric Reliability Organization. The U.S. Department of Energy has already designated the council as coordinator of infrastructure protection for the electric sector, and the council works closely with Homeland Security. FERC did not return calls for comment on Tuesday.

"We pushed the legislation through, and we're the only entity out there developing reliability standards," Vancko said. "So we're really the only entity out there qualified to perform such a role."