NERC CSO warns of cybersecurity threats, risk to electric grid

By Alexander B. Howard, Associate Editor 03 Nov 2009 | SearchCompliance.com

Enterprise IT news roundup Digg This!     StumbleUpon     Del.icio.us

More compliance resources Jerry Freese: Make Critical Infrastructure Protection a Priority Healthcare, cybersecurity policy and privacy on legislative agenda ICE Act would restructure cybersecurity rule, create White House post Kill-switch bill would add certification, licensing burdens Feds push cybersecurity jobs, PCI DSS changes ahead.

"There was a known security rule set" in the Cold War, he said at a recent panel discussion at the International Spy Museum in Washington, D.C., held to draw attention to the growing dangers online as National Cybersecurity Awareness Month drew to a close.

When cyberdefenses and communications entered the military, it was a "force multiplier," said Assante, who as chief security officer at NERC is charged with securing the electric grid. "We appreciated what it gave us. What we didn't realize was that cyber would be the thing that destroyed the rules of order."

Now, when there's an attack, determining what entity was responsible for the cybersecurity threat and how defenders should respond offers neither certainties nor clear lines of action. "We need to both think about how we plan the system so that it's reliable and how to protect that system," he said. "The cybersecurity challenge is one of the most concerning that faces North America."

The denial-of-service attacks against U.S. government sites in July were a time of "known unknowns. In the new world of cyber, it's an issue of 'unknown unknowns,'" he said, appropriating a line from former Secretary of Defense Donald Rumsfeld.

"2006 was a turning point in the cybersecurity world," said Assante. "We saw a stratification and specialization in the hacker world. It means a new problem set. It used to be one or two individuals. Now you have certain organizations which would specialize in vulnerabilities, others in weapons. The challenge to protecting infrastructure today is to understand what is in the realm of the possible."

That's especially true when it comes to securing the electric grid. "We're facing a new 21st-century grid -- the smart grid," he said. "For the first time, we're going to deploy it across the entire system, including the distribution system."

Addressing cybersecurity threats presents new challenges to utility companies and security executives. Now, for the first time, cybersecurity is being regulated. "The industry has said that we should have mandatory standards," Assante said. Those standards are now being enforced by NERC.

FISMA reform proposed

NERC compliance isn't the only area where cybersecurity threats are a concern. The federal government is moving on a number of fronts, including last month when the Department of Homeland Security opened a new unified cybersecurity center in Virginia. And in testimony before Congress last month, U.S. CIO Vivek Kundra said the White House will create a "cybersecurity dashboard," to be launched next spring. The project will be similar to the tool Kundra created for Data.gov.

The cybersecurity challenge is one of the most concerning that faces North America. Michael Assante chief security officer, North American Electric Reliability Corporation

"Just as the IT dashboard took us from a static, paper-based environment to a dynamic digital environment, the new cybersecurity dashboard will provide the government with a real-time view of threats facing us and our vulnerabilities," Kundra said.

The dashboard may be matched by reforms to the Federal Information Security Management Act (FISMA). Kundra said in his testimony that when FISMA was first enacted, the metrics "were lagging indicators focused on compliance rather than outcomes."

That issue was at the heart of the introduction of the Information and Communications Enhancement, or ICE Act, by Sen. Thomas Carper (D-Del.) earlier this year, which proposed a restructuring of cybersecurity rules.

The costs of FISMA reporting are also at issue. Carper said the certification and accreditation process required by FISMA costs $1.3 billion annually, along with another $1 billion each year for auditing FISMA compliance. Carper estimated the total spent on FISMA compliance at about $40 billion since its enactment in 2002. Automation may reduce those costs.

Tags: Industry-specific requirements for compliance,  Managing governance and compliance,  Automating compliance processes,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Industry-specific requirements for compliance Poor application security creates supply chain risk, security threat Business Model for Information Security: Security right the first time Enterprise document management FAQ: IT operations and compliance Google adds Dashboard: Does transparency mean more online privacy? Compliance news quiz: Test your knowledge of FTC, SB 20, PCI and more FTC compliance mandates new rules for social media marketing How to design an FTC compliance program for social media marketing McCain answers new FCC net neutrality rules with Internet Freedom Act SAP sees green in sustainability software for carbon compliance Electronic privacy integral to identity management standards, says DHS Managing governance and compliance A business continuity management standard would offer consistency Business Model for Information Security: Security right the first time Facing uncertainty, IT turns to governance, risk and compliance, ERM Google adds Dashboard: Does transparency mean more online privacy? Priorities for your sound regulatory compliance management policy Threat management for information systems relies on categorization HITECH FAQ: What is the impact of the HITECH Act on IT operations? Survey shows privacy policy success lies in collaboration with IT Record locator service a step to health information exchange U.S. CIO Vivek Kundra on Data.gov, OpenID and government transparency Automating compliance processes Poor application security creates supply chain risk, security threat Business Model for Information Security: Security right the first time Enterprise document management FAQ: IT operations and compliance FAQ: What is the impact of a compliance audit on IT operations? SAP sees green in sustainability software for carbon compliance Electronic privacy integral to identity management standards, says DHS HITECH moves electronic health records forward; standards to come Be ready for electronic discovery with a records retention policy Social media platforms demand a clear employee Internet use policy Pietrylo case a cautionary Web 2.0 communications compliance failure

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary PCI compliance  (SearchCompliance.com) XBRL  (SearchCompliance.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary