Existing NERC security rules will not be enough to hold off the kind of multifaceted spear phishing and malware-based attacks referred to by government security agencies as Advanced Persistent Threats, according to a presentation NERC Regional Security CoordinatorJim Brenton made (PDF) at the NERC's Grid Security Conference in October.
Brenton, who told attendees during a session he called a "wake-up call" for the industry, encouraged utilities to update intrusion-detection tools, hire digital security operations specialists and switch to continuous security monitoring rather than the paper-based compliance system NERC has required until now.
As part of an ongoing effort to raise security as a priority utilities will take seriously, NERC organized 75 utilities and government agencies into a cybersecurity exercise called GridEx 2011 – its first – Nov. 15-17 to "test and validate existing crisis-response plans and to adjust plans as needed in an exercise setting."
Feds can't tell if utilities are secure
Unfortunately, while NERC can fine utilities up to $1 million per day for failing to comply with security rules, having responsibility for creating and enforcing regulations spread among several agencies makes it difficult to even coordinate enforcement of current rules, let alone develop new ones to cover increasingly serious threats in the future, the MIT report concluded.
The Federal Energy Regulatory Commission currently has no way to monitor industry compliance with current digital security measures, according to a Government Accountability Office report cited by the MIT researchers.
Because each utility company is independent and most are regulated primarily by the states in which they operate and only secondarily by federal agencies, coordinating security efforts among all the players is a logistical nightmare, according to the MIT report, which recommends a single government agency be put in charge.
The Obama administration is pushing to make the Department of Homeland Security responsible, but some members of congress want to consolidate enforcement under the Energy Department and FARC.
On Nov. 7, NERC announced it had lost its chief security officer, Mark Weatherford, who took a job as deputy undersecretary for Cybersecurity for the National Protection and Programs Directorate at DHS.