BPC Report: New Electric Sector Cybersecurity Organization Needed

The North American electric grid should establish a new, organization to advance cybersecurity risk management practices across the industry, the Bipartisan Policy Center (BPC) recommended in a wide-ranging report released today.  Against a backdrop of multiple government agencies and industry groups attempting to wrestle with the complex challenge of cybersecurity, BPC recommends that a unified group, which it calls for the purposes of discussion the Institute for Electric Grid Cybersecurity, be established "before a significant cybersecurity event occurs and requires a rapid response."

Using as its model the Institute of Nuclear Power Operations (INPO), founded in 1979 in the wake of the Three Mile Island incident to oversee risk in the nuclear power sector, BPC says the institute should develop standards and practices that complement those established by the North American Electric Reliability Corporation (NERC) and enforced by the Federal Energy Regulatory Commission (FERC).  "A centralized, industry-governed institution may be in the best position to promote effective strategies for managing cyber threats that could have broader systemic impacts," the report states.

The standards and best practices developed by the institute should cover generation, transmission,
and distribution providers and market operators in the North American power sector, including municipal utilities and electric cooperatives.  The mandatory standards established by NERC apply only to the bulk power sector, a situation that BPC says should be maintained.

The institute would pull together the wider electric industry to develop performance criteria and cybersecurity evaluations, analyze systemic risks, conduct event analysis, provide technical assistance and conduct training and accreditation.  "We believe most utilities would see clear benefits to participating in a new cybersecurity organization. Such an organization could reduce pressure on Congress or FERC to extend more aggressive or widespread regulatory measures, offer helpful technical assistance and information, and give participants the opportunity to develop new norms for cost-recovery practices."

The report was co-chaired by security and energy leaders including former NSA and CIA Director Michael Hayden and steered by an advisory group consisting of experts from top energy trade associations and companies, technology suppliers and former federal and state government officials.  During an event to launch the report, one of the advisory group members disagreed with the report's recommendation to create a separate electric sector cybersecurity institute.

"We embrace the recommendations in this report," Scott Aaronson, Senior Director of National Security Policy, Edison Electric Institute, said.  "I push back a little on a new organization" because there are already many such organizations in existence, including NERC and a group housed within NERC,  the Electricity Sector Information Sharing and Analysis Center (ES-ISAC).

One of the report's recommendations is to split off the ES-ISAC from NERC itself because of "industry’s reluctance to share data for fear of triggering regulatory non-compliance actions, violating privacy or antitrust protections, or potentially disclosing proprietary or confidential business information."

Among the report's many other recommendations, which cover a wide swath of cybersecurity-related issues including information sharing, incident response planning and regulatory cost recovery issues:

• The federal government should provide backstop cybersecurity insurance until the private market develops more fully;
• The electric power sector and the federal government should collaborate to establish a certification program that independently tests grid technologies and products to verify that a specified security standard has been met;
• The National Institute of Standards and Technology (NIST) should include guidelines for related skills training and workforce development in its Cybersecurity Framework;
• DHS should work with universities and colleges to develop engineering and computer science curricula built around industrial control system cybersecurity;
• The U.S. Department of Energy (DOE) should assist states in providing funds so that regulatory staff can participate in academic programs, more intensive training institutes, and continuing education programs

Read More

Communications Crucial to Critical Infrastructure Restoration After Cyber Events, Experts Say

(Washington, DC)  The National Association of State Energy Officials (NASEO) and the U.S. Department of Energy’s Office of Electricity Delivery and Energy Reliability held a two-day Energy Assurance and Interdependency Workshop here to examine the cascading impacts of energy systems on other critical infrastructure.  The workshop examined a number of potential emergency scenarios to role-play how interdependent essential services (such as food, water, finance, transportation) might prepare for a number of emergencies, including sophisticated cyber attacks.

During the second day of the workshop, moderator Jack Eisenhauer of Nexight Group laid out for a panel of experts a complex, fictitious cyber attack that cripples banking institutions, leaving users unable to conduct online financial transaction, while taking down the electric grid within large urban areas across the U.S. and consequently disrupting the delivery of natural gas to electric power plants.

On top of these disastrous impacts,  the scenario includes voltage surges in the electric transmission system which flow down to the distribution systems, causing damage to automatic transfer switches and backup generators at many residential and commercial facilities, including the Federal Reserve and banking institutions.  How, the panelists were asked, do you proceed under such a scenario?

Despite the severity of these events, as long as the communications systems still function, damage could be mitigated even under these extreme conditions, the panelists agreed.  "Electricity and communications are really not separate anymore," Patrick Miller, Partner and Managing Principal of the Anfield Group said. "It's a fabric really."

The electric systems can be run manually, particularly at generation facilities, while the cyber incident is investigated and redressed.  "As long as the communication failures didn't occur, they can resume operations," Miller said.

The same thing is true for the natural gas system, according to energy sector security expert Gary Forman. "The manual operation of the natural gas system depends on communications," specifically mobile telephones and land mobile radio.

Transportation also becomes crucial under the hypothetical scenario due to the surge-related physical damage, with particular need for quick delivery of replacement parts and expert personnel.  But, with an incapacitated financial system, transporting equipment and personnel could prove problematic. "Will they even be able to buy gas and swipe their cards?" Forman asked, referring to personnel who must travel in order to make repairs or implement manual operations.

Making repairs to capacitor banks damaged in voltage surges, for example, "requires heavy machinery and big trucks and folks with special training," Miller said.  It would be little surprise, then, if the military stepped in during such a scenario to facilitate restoration.

"We're pretty sure we're going to get the call for support" if the cyber events occur as described, Neil Holloran of the Naval Surface Warfare Center said, particularly if the power outages extend for days. "Beers, bros and barbecues for the first three days and on the fourth day the guns come out," he said.

It could take a week before power is back up, Miller said.  "Under the scenario as designed, [it] looks like we could get it back up within a week."

Coordination is key to restoring essential services, something the financial sector has worked out well through its Information Sharing and Analysis Center (ISAC), Karl Schimmeck, VP of Financial Services Operations, Securities Industry and Financial Markets Association, said.  "That doesn't solve everything, but helps you get the lay of the land," Sara Alexander, Deputy Director of ChicagoFIRST, a regional emergency preparedness organization, said.

The financial services ISAC works well on the national level for cyber incidents, but if physical damage or transportation complexities are involved, regional coordination becomes crucial.  Unfortunately, "if there is something that could replicate the value of the ISAC at the state and regional level, we haven't seen that," Alexander said.

Read More

Former DHS Deputy Secretary Lute: We're Not Prepared for an American Blackout

(Washington, DC)  Former Deputy Secretary of Homeland Security Jane Holl Lute said today that the country has a lot more work to do to prepare for the fallout of a catastrophic cybersecurity event, such as a widescale attack on the nation's power grid.  "We're not nearly as prepared as we need to be," she said during a panel discussion following the premiere of National Geographic's American Blackout, which grimly portrays the fictionalized aftermath of a major cyber attack on the U.S. electric system.

A complete breakdown in the U.S. power sector isn't a likely scenario though, according to Scott Aaronson, Security Director for EEI, a trade association for the electricity industry.  "We're the only sector with mandatory cybersecurity standards," he said, referring to the Critical Infrastructure Protection standards mandated by the North American Electric Reliability Corporation.

And the kind of social breakdown depicted in the film could occur if any one of a number of U.S. critical infrastructure sectors were crippled.  "Deprive of us of food, deprive us of water, deprive us of telecom and you're going to have the same impact," Aaronson said.

"If you would have asked me, can [a total American blackout] happen, I would have said 'not very likely,'" former CIA and NSA Director Michael Hayden said, referring to his years as the heads of those agencies. Hayden also discussed how there are a growing number of strategic weak points in the nation's defense capabilities because cyber technology has pushed the capability to inflict serious damage, a power once reserved for nation states only, down to individuals.

To survive a catastrophic event, whether triggered by a cyberattack or some other calamity, you have to create elasticity in the disaster recovery system, according to Richard Reed, SVP of Disaster Cycle Services for the Red Cross.  Reed too characterized the massive blackout of the film as unlikely but said "there is always an attraction to low probability, high consequent events."

Real recovery from any disaster lies at the community level, Robert Bristow, Medical Director of Emergency Management at New York Presbyterian Hospital said.  Many communities thrived in Japan following the Tohoku earthquake and tsunami, which triggered a subsequent nuclear disaster.  "In Japan, the communities had resilience."

Read More

Critical Infrastructure Providers Take Note: Key Deadlines in the Cybersecurity Executive Order

While I was completely off the grid last week, President Obama finally issued the much-anticipated cybersecurity executive order prior to his State of the Union address.  For those who followed the machinations surrounding the order, the contents of the final order contained no surprises.  In almost every respect, it tracked the publicly released draft executive order dated November 21, 2012, which was a very business-friendly modification of some of the early, more pro-regulatory draft orders.

The order, among other things, basically establishes a one-way information flow, ensuring that the government shares technical and cyber threat information with critical infrastructure providers.  Most of the tweaks to the earlier order underscore the importance of government agencies sharing information with critical infrastructure owners rather than the other way around.  Thus the final order is a far cry from the earliest versions, which proposed regulations of critical infrastructure owners to mitigate risks.

New language that emphasizes the importance of providing threat information (particularly classified threat information) to critical infrastructure owners is peppered throughout the order.  For example, Section 4 (a) of the order says "It is the policy of the United States Government to increase the volume, timeliness, and quality of cyber threat information shared with U.S. private sector entities so that these entities may better protect and defend themselves against cyber threats."

Even if the order lacks true bite, a slew of government agencies, offices and departments will nevertheless quickly kick into gear to implement the order's directives.  And any industry or company that might end up categorized as "critical infrastructure" in the order had better get involved right now because the ball will roll very quickly.

The table above and the chart at the top of the article list the major tasks spelled out in the order, when those tasks begin, how much time is slated for completing the task based on its start date and when the task is ordered to be completed.  (Click on the images for clearer resolution).

As you can see, the deadlines are very tight.  NIST, for example, has only 240 days from the date of the order to develop a preliminary cybersecurity framework that includes a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.  NIST, therefore, must come up with a comprehensive technical, standards-based cybersecurity framework to cover all affected critical infrastructure industries by October 10, which is a very tall order indeed. (Update:  NIST has already issued its RFI for this framework at http://www.nist.gov/itl/cyberframework.cfm).

Congress hasn't been cut out of the cybersecurity maelstrom, not by a long shot.  The day after Obama issued the order, House Intelligence Committee Chairman Mike Rogers (R-MI) and Ranking Member Dutch Ruppersberger (D-MD) reintroduced the Cyber Intelligence Sharing and Protection Act (CISPA).  From a brief scan of the language, it's basically the same bill of the same name passed by the House last year and slammed by privacy advocates.  Not surprisingly, privacy advocates rushed in to slam this bill on the same grounds.

Moreover, the Obama Administration has said all along that even with this order, Congress must act to redress problems, particularly the lack of incentives for critical infrastructure providers to participate in a meaningful cybersecurity program, that the order cannot legally reach.  Even in his State of the Union address, President Obama reiterated the need for legislation.  "That's why, earlier today, I signed a new executive order that will strengthen our cyber defenses by increasing information sharing, and developing standards to protect our national security, our jobs, and our privacy. Now, Congress must act as well, by passing legislation to give our government a greater capacity to secure our networks and deter attacks," Obama said.

Read More

The Sprawling Labyrinth of Critical Infrastructure Cybersecurity

The five-alarm warnings that the Obama Administration issued last fall regarding an impending cybersecurity Pearl Harbor, along with the threat of a cybersecurity executive order, seem to have receded into the background as the President continues to grapple with fiscal woes and a politically arduous gun control initiative.  When last we heard anything from reliable sources, that executive order was being readied for release in January (some press reports confirm this), although that seems highly unlikely given the political lay of the land and the hubbub over the inauguration.

But once the order does come out (or if Congress takes another crack at passing cybersecurity legislation), the gargantuan challenge of figuring out the existing cybersecurity landscape will become clear.  I’ve been working on my firm’s first public product (coming soon), a cybersecurity databook that promises to hit the highpoints on the complex issue. 

My first task in mapping out the book was to simply describe the cybersecurity environment today, highlighting the roles of the major players and how the ground rules get established.  That was no easy task. 

When it comes to cybersecurity for the energy industry, for example, nearly one hundred government-related entities, standard-setting bodies, private coalitions, and trade associations, all have a hand in establishing or influencing the intricate rules, policies and procedures for how cybersecurity requirements and practices are formed, implemented, regulated and shared – and that’s just on the domestic level.   A massive set of groups and government organizations are busy establishing cybersecurity practices and policies on the international level.

I’ve pasted at the end of the article my list of government, standards-setting and information-sharing groups that are profiled in the report.  (If there are any noteworthy omissions in this list, email me.)

At least 36 different government arms, be they affiliated with the White House, Pentagon, independent regulatory agencies, full-fledged Departments, sponsored labs, working groups, or advisory panels, toil away on energy-related cybersecurity matters.  Some, of course, are more active on a day-to-day basis than others and some, particularly those whose primary jurisdiction is telecommunications, only tangentially but crucially overlap with energy.  Some, particularly military groups, may step in only periodically but when they do, their roles carry a tremendous amount of weight.  Some carry the force of law to get things done, while others are merely conduits for basic research, advice and study.

At least 18 different standards-setting body develop or codify the technical specifications for the engineering methods and techniques for how cybersecurity is implemented in practice.  Again, some are more important than others, with many primarily responsible for telecommunications standards – when it comes to energy, most of the networks that need cybersecurity protection the most are in fact nothing more than telecommunications or IP-based networks.

Finally, at least eight information-sharing or multi-organization groups play important roles in the energy cybersecurity arena. 

With all these groups, comprising hundreds of bureaucrats, military personnel, engineers, technologists and other specialists, trying to tackle the rarefied topic of cybersecurity, it’s hard to see how any single plan or program can come to grips with the issues.  Throw in nearly 10,000 energy creators, transmitters and distributors and it’s clear that energy cybersecurity is nothing short of an endless labyrinth

Government Entities Involved in Energy Cybersecurity National Security Council Department of Commerce     DoC - National Institute of Standards and Technology (NIST)     DoC (NIsT) National Cybersecurity Center of Excellence (NCCoE)     DoC National Telecommunications and Information Administration (NTIA) Department of Defense      DoD Cyber CrimeCenter (DC3)     DoD US Cyber Command  Department of Energy - Office of Electricity Delivery and Energy Reliability     DOE Argonne National Laboratory     DOE Idaho National Laboratory     DOE Lawrence Berkeley National Laboratory     DOE Lawrence Livermore National Laboratory     DOE Los Alamos National Laboratory     DOE New Brunswick Laboratory     DOE Oak Ridge Institution for Science and Education     DOE Pacific Northwest National Laboratory     DOE Sandia National Laboratories Department of Homeland Security     DHS - Cross Sector Cyber Security WG     DHS - Homeland Security Information Network (HSIN)(Private)     DHS - Industrial Control System Joint Working Group (ICSJWG)     DHS - US-Computer Emergency Readiness Team (US-CERT)     DHS - Industrial Control Cyber Emergency Response Center (IS-CERT)     DHS - National Communications System     DHS - National Cybersecurity and Communications Integration Center (NCCIC)     DHS - Sector Coordinating Councils: Electricity and Communications Department of Justice     FBI InfraGard  Department of State FCC Cybersecurity and Communications Reliability Division (CCR)     FCC The Communications Security, Reliability And Interoperability Council (CSRIC) FERC Nuclear Regulatory Commission United States Trade Representative NARUC Committee on Critical Infrastructure Standards Setting Organizations Involved in Energy Cybersecurity Alliance for Telecommunications Industry Solutions (ATIS) American National Standards Institute Institute of Electrical and Electronic Engineers (IEEE) International Electrotechnical Commission (IEC) International Organization for Standardization International Telecommunications Union (ITU) National Electric Reliability Corporation(NERC) North American Energy Standards Board (NAESB) UCA Iug Open SG-Security  UCA IugAMI-SEC OpenSG Information Sharing and Other Multi-Organization Groups Involved in Energy Cybersecurity Advanced Security Acceleration Project for the Smart Grid (ASAP-SG) Electric Power Research Institute (EPRI) Energysec International Society of Automation (ISA) ISA Information Sharing and Analysis Centers: Power  Internet Engineering Task Force (IETF) National Cybersecurity Council Administration National Electric Cyber Security Organization (NESCO) North America Transmission Forum

Image Source:  Wikimedia Commons.

Read More

Does Obama Dare to Issue a Cybersecurity Executive Order Before Election Day?

Next Monday, the Department of Homeland Security (DHS) kicks off National Cybersecurity Awareness Month, which features events and initiatives aimed at stressing the importance of good cyber security practices.  The timing of this annual event could not be more propitious given the mounting battle between President Obama and his Republican (and business lobby) adversaries over the expected, imminent executive order on cyber security the Administration has developed in the wake of failed cyber security legislation.

A  draft of the order was circulated earlier this month and it looks a lot like the Democratic-backed Cybersecurity Act of 2012, which was aimed at setting up government programs to ensure better cyber security information sharing for critical infrastructure industries.  (One major difference between the order and the Senate bill is that the order specifies by name 16 different sectors that constitute the “critical infrastructure” industries covered by the order, although energy and communications are spelled out upfront as “uniquely” critical sectors that cut across all the other industries.)

A growing number of developments hint that the executive order could come out any day now.  DHS Secretary Janet Napolitano told the Senate last week that the order is near completion, a host of current and former Pentagon officials are speaking out daily about the threat lax cyber security poses to the nation’s welfare while the Senate champion of the Cybersecurity Act, Joe Lieberman (I-CT) is pushing the president to get the order out the door.

Does all this add up to Obama issuing the executive order before the end of October?  Not exactly.  Despite the intense pressure and momentum, this is an election year and despite Obama’s current comfortable lead in the polls and the resulting lift for all Democratic contests, some smart insiders say the Administration won’t needlessly give Republicans any new ammunition before the polls close on Election Day by issuing what is already a controversial order.   Further dimming the order's pre-election day prospects are Republican rumblings of late that the Congress might still pass a bill before Inauguration Day.  Obama might be reluctant to look like he's pulling ahead of the legislative branch, even if it’s unlikely that the lame duck Congress can get the job done. 

On the other hand, the President could gain even more points in the polls by issuing the order, burnishing his already strong image on national defense.  But, if the smart money is right, look for an executive order no sooner than November 7.

Read More

Nod to Energy in Obama's Speech Tonight? Maybe, Even If It's "Boring"

Energy independence has been a staple of American presidential politics since the early 1980s, a hot button issue that nevertheless hasn't triggered the vitriolic level of discord between the two parties typical of other important (and not so important) issues.  High-wire fights over drilling and cap-and-trade notwithstanding, both parties are generally rowing in the same direction on energy independence and efficiency.

Over the past month both parties have embraced the "all-of-the-above" approach, a pragmatic view of energy issues, recognizing that the shift to renewable energy will be a longer slog than optimists thought.  At  a panel during the Democratic National Convention yesterday, Howard Dean, former Democratic Governor of Vermont and a one-time presidential contender himself acknowledged what Democrats have reluctantly embraced:  The country and the economy is dependent on non-renewable energy sources and will be for a long time.   "We're going to need petroleum for the foreseeable future," Dean said.

Still, it's a good idea for the government to push the country in the direction of non-renewable energy as much as is practicable, Dean said.  "I do think there are some reasons to spread out the use of this stuff and to minimize carbon footprint."

One barrier to the shift to renewable energy sources, or to lowering energy consumption, is that to most consumers "energy is boring," according to Art Lasky, President and Founder of consumer energy management company Opower, speaking on a separate panel at the DNC yesterday.  Although "90% of people at this convention and elsewhere would say saving money is important...the only time you think about energy in the home is when the power is out," he said, noting that research shows the average customer spends only six minutes per year actively engaged with their energy utility.

If that's the case, will Obama push energy issues high on his reelection agenda and will we hear much about energy in tonight's speech?  According to some sources, Obama plans to promote his track record on energy issues tonight, pointing to reduced oil imports, improved vehicle efficiency and more renewable energy generation.

In his now-revered nominating speech, Bill Clinton mentioned but only touched on energy, praising Obama's all-of-the-above energy strategy.  It's possible that because both parties seem to agree on the big points, or that most people think the topic is boring, that energy isn't a big issue this election season that will sway voters one way or the other.

Read More