BPC Report: New Electric Sector Cybersecurity Organization Needed

The North American electric grid should establish a new, organization to advance cybersecurity risk management practices across the industry, the Bipartisan Policy Center (BPC) recommended in a wide-ranging report released today.  Against a backdrop of multiple government agencies and industry groups attempting to wrestle with the complex challenge of cybersecurity, BPC recommends that a unified group, which it calls for the purposes of discussion the Institute for Electric Grid Cybersecurity, be established "before a significant cybersecurity event occurs and requires a rapid response."

Using as its model the Institute of Nuclear Power Operations (INPO), founded in 1979 in the wake of the Three Mile Island incident to oversee risk in the nuclear power sector, BPC says the institute should develop standards and practices that complement those established by the North American Electric Reliability Corporation (NERC) and enforced by the Federal Energy Regulatory Commission (FERC).  "A centralized, industry-governed institution may be in the best position to promote effective strategies for managing cyber threats that could have broader systemic impacts," the report states.

The standards and best practices developed by the institute should cover generation, transmission,
and distribution providers and market operators in the North American power sector, including municipal utilities and electric cooperatives.  The mandatory standards established by NERC apply only to the bulk power sector, a situation that BPC says should be maintained.

The institute would pull together the wider electric industry to develop performance criteria and cybersecurity evaluations, analyze systemic risks, conduct event analysis, provide technical assistance and conduct training and accreditation.  "We believe most utilities would see clear benefits to participating in a new cybersecurity organization. Such an organization could reduce pressure on Congress or FERC to extend more aggressive or widespread regulatory measures, offer helpful technical assistance and information, and give participants the opportunity to develop new norms for cost-recovery practices."

The report was co-chaired by security and energy leaders including former NSA and CIA Director Michael Hayden and steered by an advisory group consisting of experts from top energy trade associations and companies, technology suppliers and former federal and state government officials.  During an event to launch the report, one of the advisory group members disagreed with the report's recommendation to create a separate electric sector cybersecurity institute.

"We embrace the recommendations in this report," Scott Aaronson, Senior Director of National Security Policy, Edison Electric Institute, said.  "I push back a little on a new organization" because there are already many such organizations in existence, including NERC and a group housed within NERC,  the Electricity Sector Information Sharing and Analysis Center (ES-ISAC).

One of the report's recommendations is to split off the ES-ISAC from NERC itself because of "industry’s reluctance to share data for fear of triggering regulatory non-compliance actions, violating privacy or antitrust protections, or potentially disclosing proprietary or confidential business information."

Among the report's many other recommendations, which cover a wide swath of cybersecurity-related issues including information sharing, incident response planning and regulatory cost recovery issues:

• The federal government should provide backstop cybersecurity insurance until the private market develops more fully;
• The electric power sector and the federal government should collaborate to establish a certification program that independently tests grid technologies and products to verify that a specified security standard has been met;
• The National Institute of Standards and Technology (NIST) should include guidelines for related skills training and workforce development in its Cybersecurity Framework;
• DHS should work with universities and colleges to develop engineering and computer science curricula built around industrial control system cybersecurity;
• The U.S. Department of Energy (DOE) should assist states in providing funds so that regulatory staff can participate in academic programs, more intensive training institutes, and continuing education programs

Read More

Who's Paying for Huawei's Cybersecurity Evaluation? Not Huawei, Apparently.

Under tough questioning yesterday from Silicon Valley-area U.S. Representative Anna Eshoo (D-CA), John Lindquist, the CEO of highly regarded defense contractor and security firm Electronic Warfare Associates (EWA), said that a major American telecommunications company paid for a recent cybersecurity audit of technology from controversial Chinese telecom equipment supply giant Huawei.  Speaking at a hearing on supply chain cybersecurity issues before the the House Energy and Commerce Committee's Subcommittee on Communications and Technology, John Lindquist, President and CEO of EWA was asked by Eshoo who paid for the cybersecurity "seal of approval" that she assumes EWA gave to Huawei.

Eshoo had presumed that Huawei had paid for the evaluation given that Huawei itself has said on several occasions that it has "hired" EWA "to audit our products in order to certify the safety and reliability of the products at the source code."  If that were the case, Eshoo said, it could be the "equivalent of what happened on Wall Street" when the ratings agencies gave glowing marks to some unstable financial institutions that paid the agencies.

To Eshoo's surprise, Lindquist said that in fact Huawei didn't pay for the evaluation but that an unnamed major American telecommunications company did instead.  Lindquist said that an NDA barred him from naming the company.  In his written testimony, Lindquist did note that EWA's business practices, as is the case with many technology evaluation firms, call for the telecommunications company, as the primary beneficiary, to pay for security evaluations of vendor products.

It wouldn't be surprising, then, that a major U.S. telecom company would pay for an evaluation of Huawei's products.  A number of U.S. telecom companies do business with Huawei, including Cricket Communications, Clearwire, Cox and Level 3/BTW, according to a report by Chairman Mike Rogers (R-MI) and Ranking Member C.A. Dutch Ruppersberger (D-MD) of the Permanent Select Committee on Intelligence.  In addition, a number of other Tier 1 telecom providers, such as Verizon, are clearly evaluating if not currently using Huawei technology.

Whichever telco it is, "they are in the process" of contemplating a purchase and "we are in the process of evaluating their system.  The evaluation is by no means complete and we’re only evaluating the radio area network portion," Lindquist said.

Lindquist stressed, however, that "we do not give a seal of approval.  What we do is take known threats and we have very good access in the government to the agreed list of cyberthreats...what we do say is what we looked at and what we found and if we found things, what corrections were made."

Huawei, an equipment and networking giant whose global sales of gear and software skyrocketed over the past ten years, topping $30 bil. in annual revenue, is viewed by some military and cybersecurity specialists as a threat to the security of critical telecommunications infrastructure.  Some Huawei opponents believe that the company is bankrolled and controlled by the Chinese government, which is arguably the most active nation-state engaged in cyber espionage and hacking.  They further suspect the motives of Huawei's founder, Ren Zhengfei, who formed the company after leaving a civilian-ranked engineering post in the Chinese military.

As a consequence, Huawei has the capability of introducing, and incentive to introduce, undetectable backdoors and other vulnerabilities in the products it sells to telecom companies, for the benefit of China's economic and military interests, detractors argue.  Other experts, however, contend that the focus on Huawei, and to a lesser extent another telecom tech giant, ZTE, is a form of paranoia inappropriately focused on Chinese companies due to the often overheated and sometimes nationalistic rhetoric surrounding cybersecurity matters.

Read More