by Ahren Tryon, Cozen O’Connor
Reported cyberattacks on utility sector control systems increased more than 50 percent in 2012. The energy and water sectors represented most of those reported attacks. In addition to exploits that threatened supervisory control and data acquisition systems and other industrial controls, cyberattacks have affected operations and maintenance activities, billing and customer information databases, Web-based payment systems, PBX phone systems and other Internet-facing networks and devices.
This increasing risk to the electric sector and other critical infrastructure in recent years has pushed federal and state governments to investigate and in some cases advocate for utility cybersecurity measures. Despite statements from high-ranking officials such as the national intelligence director that cyberattacks are at the top of the nation’s security threats, federal action has not kept pace with cyberthreats’ confronting critical infrastructure networks.
Within the electricity supply chain, only the bulk electric system is subject to mandatory cybersecurity standards. The critical infrastructure protection (CIP) standards established by the North American Energy Reliability Corp. (NERC) and enforced by the Federal Energy Regulatory Commission (FERC) include requirements for identifying critical cyberassets, security management, information protection, reporting and recovery planning, among other measures. In April, FERC initiated a rule to adopt Version 5 of the CIP standards, as proposed by NERC. The updated standards would require for the first time that all bulk electric system cybersystems receive some level of protection based on their impact on the grid; however, nonbulk electric system electric assets have no mandatory federal analog to the CIP standards.
Earlier this year, the U.S. House of Representatives introduced and passed the Cyber Intelligence Sharing and Protection Act (CISPA). The bill is similar to a previous version that stagnated in 2012, and it remains unpopular with the Senate and White House largely because of privacy concerns. The Senate has suggested it will develop its own cybersecurity proposal, but the chamber remains split about whether standards should be mandatory or voluntary.
With legislative efforts’ appearing less than promising, the White House is leveraging its executive powers and control of federal agencies to enhance critical infrastructure cybersecurity. After declaring that cyberattacks on the nation’s critical infrastructure present “real threats to our security and our economy,” President Barack Obama issued an executive order that directs the executive branch to expand communication of cyberthreats to critical infrastructure entities and to develop a voluntary cybersecurity framework to address the risk of cyberattacks on critical infrastructure.
Under the executive order, the National Institute of Standards and Technology (NIST) is to develop a voluntary critical infrastructure cybersecurity framework by mid-February 2014. Meanwhile, the Department of Homeland Security (DHS) is to define the critical infrastructure that should be part of the framework by early July 2013, while expanding the existing Enhanced Cybersecurity Services information-sharing program to improve rapid dissemination of threat information to the identified critical infrastructure sectors. NIST issued a request for information to initiate the process and established ongoing workshops designed to inform technology-neutral cross-sector cybersecurity standards. The cybersecurity framework may be expected to have some basis in NIST’s prior efforts.
To encourage participation in and adoption of the framework, the executive order instructs DHS and other federal agencies to determine what incentives can be provided under current law. The executive order also directs federal agencies to examine the extent of their authority to establish requirements based on the framework to address cyberrisks to critical infrastructure.
The Obama administration’s objections to CISPA indicate that support for new cybersecurity laws will be contingent on adequate privacy protections. The absence of a federal mandate might increasingly embolden public utility commissions and state legislatures to require utilities to take measures to protect critical assets and the public from cyberattacks.
It remains unclear whether new or revised cybersecurity requirements will be developed as a result of efforts under consideration at the federal and state levels. Nevertheless, the growth in cyberattacks poses significant financial, litigation and insurance risks for utilities regardless whether voluntary or mandatory standards are in place. Effective strategies will vary by system but should be informed by an integrated team of subject matter experts who identify and address gaps and vulnerabilities in policies and procedures, vendor contracts, industrial control systems, other networked assets and software. Electricity entities that wish to have input on the NIST cybersecurity strategies might want to participate in NIST’s remaining workshops.
Ahren Tryon is a member of Cozen O’Connor’s Energy, Environmental and Public Utility practice group. He leads the energy and water segment of Cozen O’Connor’s cybersecurity team. Prior to entering private practice, Tryon held positions at the federal Pipeline and Hazardous Materials Safety Administration and the Federal Energy Regulatory Commission.