A number of ongoing and recently initiated programs have reached significant milestones in the effort to better secure the North American power grid from cyber attack, announced the North American Electric Reliability Corporation (NERC) last week

Initially launched by NERC President and CEO Rick Sergel in July 2008, the organization’s efforts to improve its response to cyber security have included the formal creation of a Critical Infrastructure Protection program at NERC, led by Chief Security Officer Michael Assante, facilitation of increased coordination between the public and private sectors on the issue, and outreach efforts to raise the profile and priority of cyber security across the electric industry.

“Cyber security and critical infrastructure protection continue to be a top priority for our organization as we work to ensure the reliability of the bulk power system in North America,” commented Sergel. “The electric industry has supported our organization every step of the way.”

Efforts include:

Revised Cyber Security Standards Recently Approved, Additional Revisions Under Way — NERC’s Board of Trustees approved revisions to the organization’s eight cyber security standards on May 6, 2009 after passage by the electric industry with an 88 percent approval rating. The standards have been filed for regulatory approval in the United States and are already mandatory and enforceable in parts of Canada. Work on phase two revisions continues, with initial industry validation on track for the fourth quarter of 2009. The organization continues to evaluate compliance with the existing standards, with compliance audits scheduled to begin for priority facilities on an initial set of 13 requirements on July 1, 2009. View the revised standards at: http://www.nerc.com/docs/standards/sar/CIP_Standards_Redline_to_last_posting_2009Feb24.zip

Special Cyber Risk Preparedness Assessment to Begin — An industry-led voluntary assessment will soon begin to focus on detection, response, and mitigation capabilities for cyber incidents. Coordinated by NERC, the assessment will look beyond NERC’s current cyber security standards for practices, procedures, and technologies that contribute to cyber preparedness across the industry. Generalized, aggregated results from the assessment will be used to inform standards development activities, alert the industry to potential areas of concern, and identify areas where research and development investment is needed. For security reasons, specific results of the assessment will remain confidential, a key condition of participation in the program. Volunteer-based efforts such as this assessment are conducted separately from NERC’s day-to-day compliance and enforcement activities, and entities will not be subject to fines as a result of this assessment. Any violations uncovered during the assessment will be separately addressed through NERC’s formal compliance processes.

Secure Alerting Portal Enters Pre-Launch Testing Phase — NERC’s next-generation secure alerting portal has begun beta testing in preparation for formal launch in the July-August timeframe. This new portal will facilitate NERC’s alerts process, whereby the organization is able to notify nearly 5,000 industry personnel at utilities, grid operations centers, power plants, and transmission facilities of emerging vulnerabilities as they arise. For priority issues, NERC is able to require entities to acknowledge receipt of an alert and report to NERC on the status of efforts to address the issue. Action on NERC alerts is not mandatory. View NERC alerts at: http://www.nerc.com/page.php?cid=5|63

Electric Industry Education Initiative — NERC is finalizing plans to conduct a series of educational events designed to assist power companies in complying with its cyber security standards. The sessions will also promote a better understanding of the effects cyber risks and vulnerabilities may have on current planning and operational practices. Scheduled to begin with a series of online webinars, the initiative will also include secured and classified industry briefings coordinated with the U.S. and Canadian governments.

“Each of these efforts has been met with strong industry support, which has been vital to our work towards our shared goal of securing North America’s power system from cyber attack,” commented Assante. “While we still have much work ahead of us, I am encouraged by our progress so far and look forward to continued success on these efforts, and others currently under way at NERC, in the weeks and months ahead.”