Princeton, NJ, July 15, 2008 -- Rick Sergel, president and CEO of the North American Electric Reliability Corporation (NERC), recently announced the organization's plans to improve its response to cyber security and critical infrastructure protection (CIP) concerns for the bulk power system in North America. Revealed to NERC's board of trustees and stakeholders in a letter last week, the plan outlines six specific actions that will lay the foundation for improving grid reliability by enabling faster and more effective action to protect critical assets from cyber or physical threats.
The actions arise from NERC's recent interaction with various organizations, including the House Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology of the House Homeland Security Committee, whose efforts have been instrumental in emphasizing the urgency and priority of this critical issue.
"Cyber security is a critical component of grid reliability, but is, by its nature, fundamentally different from any other reliability concern we currently address through our standards, analysis, or enforcement programs," said Sergel. "It therefore requires a different approach; one that allows for more expedient treatment of critical information, urgent action on standards, and more thorough threat analysis and risk assessment."
"As the Electric Reliability Organization in the U.S. and home to the Electric Sector Information Sharing and Analysis Center (ES-ISAC), we are seeking to enhance and focus our existing efforts by putting the organizational structure in place to better support a more comprehensive treatment of these critical issues," he continued. "One of our key initiatives in this area is the recent formation of the Electric Sector Steering Group (ESSG), comprised of five industry chief executives, a NERC board member, and of which I am the chairman. The group will be instrumental in guiding NERC as we execute the plans announced today."
Specific actions NERC will take include:
Increasing NERC expertise on CIP and cyber security -- NERC will formally establish the CIP program as one of NERC's program functions, alongside existing standards development, compliance and enforcement, and reliability assessment program areas. The establishment of the program will include the staffing of a chief security officer position, who will serve as the single point of contact for the industry, the ESSG, and government regulators and stakeholders seeking to communicate with NERC on cyber and infrastructure security matters.
Consider alternative standard setting process for cyber security standards -- NERC will establish a task force to review, and where appropriate recommend, a standard setting process for cyber security that will include an emergency/crisis standards setting process. The process must provide a level of due process and technical review, but also provide the speed necessary to establish standards quickly and respond seamlessly to government agencies in the U.S. and Canada.
Expedited review of existing cyber standards -- Working through the Standards Committee, NERC also seeks to accelerate the comprehensive review of its eight existing CIP standards to fully incorporate the directives from FERC, including the consideration of the extent to which elements of the National Institute of Standards and Technology (NIST) standards should be incorporated therein or within new standards.
Facilitate joint collaboration on cyber security -- NERC, working with FERC and relevant governmental authorities in Canada, will organize a briefing for the ESSG, the NERC CEO, and senior level utility executives across all stakeholder groups on cyber security threats.