The Federal Energy Regulatory Commission (FERC) today approved eight mandatory cybersecurity standards that extend to all entities connected to the nation's power grid.
FERC, the U.S. agency responsible for overseeing electric rates and natural gas pricing, approved the standards, which were developed by the North American Electric Reliability Corp. (NERC) in 2006.
The standards – which, before approval, were placed through a lengthy assessment phase by FERC that resulted in 800 pages of comments – govern asset identification, management controls, personnel and training, perimeters, physical security, systems management, incident response and reporting and disaster recovery.
FERC Chairman Joseph Kelliher said today in a commission meeting that past problems affecting the electric grid, such as recent blackouts, were caused by maintenance issues related to vegetation and relay.
"Cybersecurity is a different kind of threat, however," he said in a meeting transcript. "This threat is a conscious threat posed by a single hacker or even an organized group that may be deliberately trying to disrupt the grid. FERC will act to assure cybersecurity of the transmission grid, to the full extent of our legal authority."
The new guidelines apply to all users, owners and operators of the bulk power system, Joe McClelland, director of the office of electric reliability at FERC, told SCMagazineUS.com today
That includes transmission and generator owners and operators, reliability coordinators, balancing authorities and load-serving entities.
The nation's electric grid has become more vulnerable in recent years as Supervisory Control and Data Acquisition (SCADA) systems transitioned from obscure "air-gapped" platforms to modern Windows- and Linux-based platforms connected to the internet, experts have said.
Before these standards were approved, though, no federally mandated rules were in place.
"There was no reason why someone would be compelled to improve security to their SCADA systems," McClelland said, adding that violators can now be fined up to $1 million per day, per incident.
NERC, which serves as the nation's Electric Reliability Organization, adopted the standards in June 2006, but FERC has since revised them, he said. One major adjustment was eliminating the right for organizations to use "reasonable business judgment" as a reason for not complying with the guidelines.
NERC now will be charged with making further modifications to the standards once they take effect in approximately 60 days, McClelland said.
"As we move forward, we will address the commission's directives and continually evaluate how these standards are executed in practice," Rick Sergel, NERC president and chief executive officer, sadi today in a statement. "We will monitor key industry and technology developments."
The new measures take effect about four months after a simulated attack showed a hacker-controlled turbine shaking wildly and exploding in a test lab. The video, produced for the U.S. Department of Homeland Security, drew widespread media coverage and chronicled the potential damage attackers could cause.
McClelland said the electric grid is a potential target in today's political landscape. He declined to discuss specific damage malicious individuals might be able to cause.
"If a grid is vulnerable, folks will find a way to exploit the vulnerability," McClelland said. "Without electricity, a lot of bad things happen. A lot of people depend on it for business and personal health and well-being."