- appointing a White House cyber security "czar" with the authority to shut down government and private computer networks during a cyber-attack
- charging the National Institute of Standards and Technology (NIST) to establish "measurable and auditable cyber security standards"
- mandating an ongoing, quadrennial review of the nation's cyber defenses
- requiring licensing and certification of cyber security professionals.
Also notable, NSA’s increasing role in such developments is causing growing concerns about privacy and pursuing an inherently flawed strategy by charging the organization with both ongoing intelligence gathering and an expansive new mission around national cyber defenses. The resignation of Rod Beckstrom from an executive-level cyber security federal government position underscores such concerns.
FERC Order - Nuclear "Regulatory Gap" Update.
The Federal Energy Regulatory Commission (FERC) is pressing forward to resolve commercial nuclear cyber security jurisdictional “regulatory gap” concerns raised last year. A FERC issued “clarification” (~17 pages; Docket No. RM06-22-000; Order No. 706-B) on March 25th addresses previously requested industry input. It also concludes with a determination insisting that the portions of a nuclear power plant, not specifically addressed with tighter security program coverage in the forthcoming regulations from the Nuclear Regulatory Commission (NRC), will be required to adhere to NERC Critical Infrastructure Protection (CIP) Reliability Standards. This rule became effective March 25, 2009. The combination of enhanced NRC requirements and the addition of FERC/NERC expectations into the mix make addressing cyber security an even more important licensing and compliance challenge for commercial nuclear power. Some good news- FERC is providing implementation schedule flexibility which will first be addressed by the Electric Reliability Organization (ERO). NERC, as ERO, is is required to submit related compliance filing to FERC within 180 days.
Congressional Hearing- Latest Round on Cybersecurity w/Joe Weiss.
On Thursday, March 19, 2009, the US Senate Committee on Commerce,Science, and Transportation held a hearing titled Cybersecurity: Assessing Our Vulnerabilities and Developing an Effective Defense (webcast-jump 12m to session start, testimony) Among the witnesses offering testimony was Mr. Joseph Weiss, a nuclear and industrial controls system (ICS) engineer, who long has been critical of most vendor, industry, and governmental/regulatory measures addressing related cyber security risks. His statement included pointing out how industrial control systems have experienced at least 125 significant cyber security incidents during the past decade (written testimony). The effects include environmental damage, mechanical damage and in once case, death. He said that a coordinated attack could have devastating consequences, "taking months to recover." (Editorial note: Potential physical and other electronic systemic attacks yet to be substantively experienced remain a noteworthy risk with conceivably even lengthier recovery periods.) Worth watching as each of the witnesses had their perspective backed with solid points followed by Q&A that pressed for answers around concerns raised and improvement approaches needed.
It's increasingly clear that cyber security in critical infrastructure settings, especially the Electric Sector, will continue gathering growing attention at a national level that goes well beyond sensationalized media coverage.
No comments:
Post a Comment