http://www.fcw.com/online/news/153154-1.html
The organization that oversees reliability for the nation’s electrical power grid is stepping up its cybersecurity efforts by setting up a new program office and creating a task force to review cybersecurity standards for the power industry.The North American Electric Reliability Corp. (NERC), a quasi-governmental coalition that operates under the Federal Energy Regulatory Commission (FERC), said it will establish a Critical Infrastructure Program, which includes cybersecurity, as its fourth program focus area. One of the program’s initiatives will be hiring a chief security officer to be a single point of contact for cyber and infrastructure issues related to the national electric power grid.NERC represents stakeholders, primarily utilities, involved in ensuring electric power reliability. In July 2006, FERC designated the corporation as the nation’s electric reliability organization. The corporation also serves as home to the Electric Sector Information Sharing and Analysis Center, one of 17 national centers devoted to critical infrastructure sectors identified under the National Infrastructure Protection Plan.
Showing posts with label Power Grid. Show all posts
Showing posts with label Power Grid. Show all posts
Wednesday, July 23, 2008
Wednesday, July 16, 2008
NERC CEO announces plan to improve response to cyber security and CIP
http://uaelp.pennnet.com/display_article/334315/22/ARTCL/none/none/1/NERC-CEO-announces-plan-to-improve-response-to-cyber-security-and-CIP/
Princeton, NJ, July 15, 2008 -- Rick Sergel, president and CEO of the North American Electric Reliability Corporation (NERC), recently announced the organization's plans to improve its response to cyber security and critical infrastructure protection (CIP) concerns for the bulk power system in North America. Revealed to NERC's board of trustees and stakeholders in a letter last week, the plan outlines six specific actions that will lay the foundation for improving grid reliability by enabling faster and more effective action to protect critical assets from cyber or physical threats.
The actions arise from NERC's recent interaction with various organizations, including the House Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology of the House Homeland Security Committee, whose efforts have been instrumental in emphasizing the urgency and priority of this critical issue.
"Cyber security is a critical component of grid reliability, but is, by its nature, fundamentally different from any other reliability concern we currently address through our standards, analysis, or enforcement programs," said Sergel. "It therefore requires a different approach; one that allows for more expedient treatment of critical information, urgent action on standards, and more thorough threat analysis and risk assessment."
"As the Electric Reliability Organization in the U.S. and home to the Electric Sector Information Sharing and Analysis Center (ES-ISAC), we are seeking to enhance and focus our existing efforts by putting the organizational structure in place to better support a more comprehensive treatment of these critical issues," he continued. "One of our key initiatives in this area is the recent formation of the Electric Sector Steering Group (ESSG), comprised of five industry chief executives, a NERC board member, and of which I am the chairman. The group will be instrumental in guiding NERC as we execute the plans announced today."
Specific actions NERC will take include:
Increasing NERC expertise on CIP and cyber security -- NERC will formally establish the CIP program as one of NERC's program functions, alongside existing standards development, compliance and enforcement, and reliability assessment program areas. The establishment of the program will include the staffing of a chief security officer position, who will serve as the single point of contact for the industry, the ESSG, and government regulators and stakeholders seeking to communicate with NERC on cyber and infrastructure security matters.
Consider alternative standard setting process for cyber security standards -- NERC will establish a task force to review, and where appropriate recommend, a standard setting process for cyber security that will include an emergency/crisis standards setting process. The process must provide a level of due process and technical review, but also provide the speed necessary to establish standards quickly and respond seamlessly to government agencies in the U.S. and Canada.
Expedited review of existing cyber standards -- Working through the Standards Committee, NERC also seeks to accelerate the comprehensive review of its eight existing CIP standards to fully incorporate the directives from FERC, including the consideration of the extent to which elements of the National Institute of Standards and Technology (NIST) standards should be incorporated therein or within new standards.
Facilitate joint collaboration on cyber security -- NERC, working with FERC and relevant governmental authorities in Canada, will organize a briefing for the ESSG, the NERC CEO, and senior level utility executives across all stakeholder groups on cyber security threats.
Princeton, NJ, July 15, 2008 -- Rick Sergel, president and CEO of the North American Electric Reliability Corporation (NERC), recently announced the organization's plans to improve its response to cyber security and critical infrastructure protection (CIP) concerns for the bulk power system in North America. Revealed to NERC's board of trustees and stakeholders in a letter last week, the plan outlines six specific actions that will lay the foundation for improving grid reliability by enabling faster and more effective action to protect critical assets from cyber or physical threats.
The actions arise from NERC's recent interaction with various organizations, including the House Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology of the House Homeland Security Committee, whose efforts have been instrumental in emphasizing the urgency and priority of this critical issue.
"Cyber security is a critical component of grid reliability, but is, by its nature, fundamentally different from any other reliability concern we currently address through our standards, analysis, or enforcement programs," said Sergel. "It therefore requires a different approach; one that allows for more expedient treatment of critical information, urgent action on standards, and more thorough threat analysis and risk assessment."
"As the Electric Reliability Organization in the U.S. and home to the Electric Sector Information Sharing and Analysis Center (ES-ISAC), we are seeking to enhance and focus our existing efforts by putting the organizational structure in place to better support a more comprehensive treatment of these critical issues," he continued. "One of our key initiatives in this area is the recent formation of the Electric Sector Steering Group (ESSG), comprised of five industry chief executives, a NERC board member, and of which I am the chairman. The group will be instrumental in guiding NERC as we execute the plans announced today."
Specific actions NERC will take include:
Increasing NERC expertise on CIP and cyber security -- NERC will formally establish the CIP program as one of NERC's program functions, alongside existing standards development, compliance and enforcement, and reliability assessment program areas. The establishment of the program will include the staffing of a chief security officer position, who will serve as the single point of contact for the industry, the ESSG, and government regulators and stakeholders seeking to communicate with NERC on cyber and infrastructure security matters.
Consider alternative standard setting process for cyber security standards -- NERC will establish a task force to review, and where appropriate recommend, a standard setting process for cyber security that will include an emergency/crisis standards setting process. The process must provide a level of due process and technical review, but also provide the speed necessary to establish standards quickly and respond seamlessly to government agencies in the U.S. and Canada.
Expedited review of existing cyber standards -- Working through the Standards Committee, NERC also seeks to accelerate the comprehensive review of its eight existing CIP standards to fully incorporate the directives from FERC, including the consideration of the extent to which elements of the National Institute of Standards and Technology (NIST) standards should be incorporated therein or within new standards.
Facilitate joint collaboration on cyber security -- NERC, working with FERC and relevant governmental authorities in Canada, will organize a briefing for the ESSG, the NERC CEO, and senior level utility executives across all stakeholder groups on cyber security threats.
Tuesday, July 15, 2008
Energy "Cyber Security: Are We Doing Enough"
We can’t afford to live in a virtual world when it comes to cyber attacks on our electric grid—this pain would be real. A disruption of our critical infrastructure would be life threatening and could cripple our economy.
U.S. utilities know this and are working around the clock to ensure the safety of their networks and systems. Yes, the electric power system is vulnerable but with constant vigilance and sound cyber security policies we can protect the grid—we just have to be sure we are doing enough.
U.S. utilities know this and are working around the clock to ensure the safety of their networks and systems. Yes, the electric power system is vulnerable but with constant vigilance and sound cyber security policies we can protect the grid—we just have to be sure we are doing enough.
Last year, the number of cyber attacks on utilities per day almost doubled, according to SecureWorks, a managed security services provider to more than 1,800 clients, including 100 utilities. From January through April 2007, the company blocked an average of 49 attackers per utility client per day, while from May through September of that year, it saw an average of 93 unique hackers attempting attacks on each of its utility clients per day.
Thursday, June 19, 2008
SCADA security bug exposes world's critical infrastructure | The Register
SCADA security bug exposes world's critical infrastructure The Register: "Gasoline refineries, manufacturing plants and other industrial facilities that rely on computerized control systems could be vulnerable to a security flaw in a popular piece of software that in some cases allows attackers to remotely take control of critical operations and equipment.
The vulnerability resides in CitectSCADA, a software product used to manage industrial control mechanisms known as SCADA, or Supervisory Control And Data Acquisition, systems. As a result, companies in the aerospace, food, manufacturing and petroleum industries that rely on Citect's SCADA products may be exposing critical operations to outsiders or disgruntled employees, according to Core Security, which discovered the bug.
Citect and Computer Emergency Response Teams (CERTs) in the US, Argentina and Australia are urging organizations that rely on CitectSCADA to contact the manufacturer to receive a patch. In cases where installing a software update is impractical, organizations can implement workarounds.
In theory, the bug should be of little consequence, since there is general agreement that SCADA systems, remote terminal units and other critical industrial controls should never be exposed to the internet.
But 'in the real world, in real scenarios, that's exactly what happens, because corporate data networks need to connect to SCADA systems to collect data that's relevant to running the business,' said Ivan Arce, CTO of Core. 'Those networks in turn may be connected to the internet.'" ...
The vulnerability resides in CitectSCADA, a software product used to manage industrial control mechanisms known as SCADA, or Supervisory Control And Data Acquisition, systems. As a result, companies in the aerospace, food, manufacturing and petroleum industries that rely on Citect's SCADA products may be exposing critical operations to outsiders or disgruntled employees, according to Core Security, which discovered the bug.
Citect and Computer Emergency Response Teams (CERTs) in the US, Argentina and Australia are urging organizations that rely on CitectSCADA to contact the manufacturer to receive a patch. In cases where installing a software update is impractical, organizations can implement workarounds.
In theory, the bug should be of little consequence, since there is general agreement that SCADA systems, remote terminal units and other critical industrial controls should never be exposed to the internet.
But 'in the real world, in real scenarios, that's exactly what happens, because corporate data networks need to connect to SCADA systems to collect data that's relevant to running the business,' said Ivan Arce, CTO of Core. 'Those networks in turn may be connected to the internet.'" ...
Monday, June 16, 2008
US: Is our Energy Secure?
Harvard Political Review - Is Our Energy Secure?: "Is Our Energy Secure?
Hurricanes exposed America ’s vulnerability
Hurricanes Katrina and Rita laid a one-two punch on America ’s energy infrastructure. The first blow cut daily oil production by almost one million barrels, while the second halted oil production in the Gulf of Mexico , squelching a third of the nation’s oil supply. The federal government has since begun the process of securing the U.S. energy infrastructure against further natural disasters, but the effectiveness thereof remains to be tested." [...]
Hurricanes exposed America ’s vulnerability
Hurricanes Katrina and Rita laid a one-two punch on America ’s energy infrastructure. The first blow cut daily oil production by almost one million barrels, while the second halted oil production in the Gulf of Mexico , squelching a third of the nation’s oil supply. The federal government has since begun the process of securing the U.S. energy infrastructure against further natural disasters, but the effectiveness thereof remains to be tested." [...]
Saturday, June 14, 2008
Chinese hackers blamed for power cuts - The INQUIRER
Chinese hackers blamed for power cuts : "Chinese hackers blamed for power cuts"
From the Inquirer
CYBER WAR CLAIMS are now getting out of hand, with US government spinners being prepared to blame everything on the Chinese.
A report in the National Journal, claims that Chinese hackers were responsible for a recent power outage in Florida, and the widespread blackout which struck the northeastern US in 2003.
In a literal game of Chinese whispers, the story quotes insecurity experts, who in turn cite unnamed US military intelligence [surely a contradiction in terms. Ed]
The story is that the People's Liberation Army may have cracked the computers controlling the US power grid to trigger the cascading 2003 blackout that cut off electricity to 50 million people in eight states and a Canadian province.
Unfortunately it is not just a bit, but completely, untrue.
At the time investigators blamed 'overgrown trees' that came into contact with strained high-voltage lines near facilities in Ohio owned by FirstEnergy.
No one suggested the trees were a Chinese plant.
But according to Wired, the recent claim is all part of a cunning plan to convince the citizens of the US that they are at grave risk from cyber terrorists.
It all started when intelligence boss Michael McConnell decided that cyber terrorism would be a wizard way of getting warrantless NSA surveillance. He claimed cyber terrorists were costing the US a $100 billion a year.
But this is the first time that the yarn has been linked to one of the most thoroughly-investigated power incidents in US history.
Next it will be found that Chinese hackers were responsible for the housing credit crunch, Miley Cyrus, television reality talent shows and other atrocities.
From the Inquirer
CYBER WAR CLAIMS are now getting out of hand, with US government spinners being prepared to blame everything on the Chinese.
A report in the National Journal, claims that Chinese hackers were responsible for a recent power outage in Florida, and the widespread blackout which struck the northeastern US in 2003.
In a literal game of Chinese whispers, the story quotes insecurity experts, who in turn cite unnamed US military intelligence [surely a contradiction in terms. Ed]
The story is that the People's Liberation Army may have cracked the computers controlling the US power grid to trigger the cascading 2003 blackout that cut off electricity to 50 million people in eight states and a Canadian province.
Unfortunately it is not just a bit, but completely, untrue.
At the time investigators blamed 'overgrown trees' that came into contact with strained high-voltage lines near facilities in Ohio owned by FirstEnergy.
No one suggested the trees were a Chinese plant.
But according to Wired, the recent claim is all part of a cunning plan to convince the citizens of the US that they are at grave risk from cyber terrorists.
It all started when intelligence boss Michael McConnell decided that cyber terrorism would be a wizard way of getting warrantless NSA surveillance. He claimed cyber terrorists were costing the US a $100 billion a year.
But this is the first time that the yarn has been linked to one of the most thoroughly-investigated power incidents in US history.
Next it will be found that Chinese hackers were responsible for the housing credit crunch, Miley Cyrus, television reality talent shows and other atrocities.
Tuesday, June 10, 2008
ISN Publishing House: Energy Security of the European Union
ISN Publishing House: Energy Security of the European Union: "Energy Security of the European Union
This paper, published by the Centre for Strategic Studies (CSS) at ETH Zurich, describes how energy security has become an important policy area for the EU. However, forging and implementing a common energy policy has proven to be difficult. The author states that because the national energy mix and energy policies vary widely, the EU member-states have struggled to agree on common priorities and specific measures. The paper explains that while some progress has been made in the field of sustainability, the realization of a common energy market and of a common external energy policy to secure supplies remains particularly challenging.
This paper, published by the Centre for Strategic Studies (CSS) at ETH Zurich, describes how energy security has become an important policy area for the EU. However, forging and implementing a common energy policy has proven to be difficult. The author states that because the national energy mix and energy policies vary widely, the EU member-states have struggled to agree on common priorities and specific measures. The paper explains that while some progress has been made in the field of sustainability, the realization of a common energy market and of a common external energy policy to secure supplies remains particularly challenging.
Thursday, June 5, 2008
Utility Automation & Engineering T&D - NERC statement on cyber security hearing
Utility Automation & Engineering T&D - NERC statement on cyber security hearing: "NERC statement on cyber security hearing
Princeton, NJ, June 3, 2008 -- Rick Sergel, president & CEO of the North American Electric Reliability Corporation (NERC), made a statement in reference to the hearing of the House Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology.
'At NERC, our mission is to ensure the reliability of the bulk power system in North America. We fully recognize and appreciate the importance of the reliability and security of our continent's bulk power infrastructure to public safety, economic health, and the lifestyle we enjoy. We share the subcommittee's commitment to ensuring that consumers can continue to rely on electric infrastructure as being safe, secure, and reliable."
Princeton, NJ, June 3, 2008 -- Rick Sergel, president & CEO of the North American Electric Reliability Corporation (NERC), made a statement in reference to the hearing of the House Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology.
'At NERC, our mission is to ensure the reliability of the bulk power system in North America. We fully recognize and appreciate the importance of the reliability and security of our continent's bulk power infrastructure to public safety, economic health, and the lifestyle we enjoy. We share the subcommittee's commitment to ensuring that consumers can continue to rely on electric infrastructure as being safe, secure, and reliable."
Wednesday, June 4, 2008
Did Hackers Cause the 2003 Northeast Blackout? Umm, No - from Wired.com
Did Hackers Cause the 2003 Northeast Blackout? Umm, No Threat Level from Wired.com: "Did Hackers Cause the 2003 Northeast Blackout? Umm, No"
I found this article appeared on Wired.com blog, quite interesting and I decided to post it after I reported an article on the suspects that the Chinese People Liberation Army could be behind some of the most important US blackouts. It provides a very different perspective on the discussion.
I found this article appeared on Wired.com blog, quite interesting and I decided to post it after I reported an article on the suspects that the Chinese People Liberation Army could be behind some of the most important US blackouts. It provides a very different perspective on the discussion.
Tuesday, June 3, 2008
China Cybarmageddon
China Cybarmageddon
The notion that Chinese hackers are noodling around blacking-out American cities at will is a truly extraordinary assertion. Makes the wildest fantasies of 1950s McCarthyism look quite tame.
"A big week for cyber security news stories. Newsbites editor Ed Skoudis put it in perspective, "Consider this NewsBites in its totality (nation state espionage, power grid vulnerabilities, nuclear facilities, radiation dispersal rumors, congressman discussing threats, and more), and you can see we're in the midst of a sea change in the willingness to discuss the threats we now face. It's not just petty cyber crime any more. Increasingly, there are national security implications and massive safety issues associated with information security vulnerabilities in our critical infrastructure. Lives are at stake."
http://blog.wired.com/sterling/2008/06/china-cybarmage.html
The notion that Chinese hackers are noodling around blacking-out American cities at will is a truly extraordinary assertion. Makes the wildest fantasies of 1950s McCarthyism look quite tame.
"A big week for cyber security news stories. Newsbites editor Ed Skoudis put it in perspective, "Consider this NewsBites in its totality (nation state espionage, power grid vulnerabilities, nuclear facilities, radiation dispersal rumors, congressman discussing threats, and more), and you can see we're in the midst of a sea change in the willingness to discuss the threats we now face. It's not just petty cyber crime any more. Increasingly, there are national security implications and massive safety issues associated with information security vulnerabilities in our critical infrastructure. Lives are at stake."
http://blog.wired.com/sterling/2008/06/china-cybarmage.html
Friday, May 30, 2008
China’s Cyber-Militia
Chinese hackers pose a clear and present danger to U.S. government and private-sector computer networks and may be responsible for two major U.S. power blackouts.
Computer hackers in China, including those working on behalf of the Chinese government and military, have penetrated deeply into the information systems of U.S. companies and government agencies, stolen proprietary information from American executives in advance of their business meetings in China, and, in a few cases, gained access to electric power plants in the United States, possibly triggering two recent and widespread blackouts in Florida and the Northeast, according to U.S. government officials and computer-security experts.
One prominent expert told National Journal he believes that China’s People’s Liberation Army played a role in the power outages.
http://www.nationaljournal.com/njmagazine/cs_20080531_6948.php
Computer hackers in China, including those working on behalf of the Chinese government and military, have penetrated deeply into the information systems of U.S. companies and government agencies, stolen proprietary information from American executives in advance of their business meetings in China, and, in a few cases, gained access to electric power plants in the United States, possibly triggering two recent and widespread blackouts in Florida and the Northeast, according to U.S. government officials and computer-security experts.
One prominent expert told National Journal he believes that China’s People’s Liberation Army played a role in the power outages.
http://www.nationaljournal.com/njmagazine/cs_20080531_6948.php
Thursday, May 22, 2008
Congress Alarmed At Cyber-Vulnerability Of Power Grid - Forbes.com
Congress Alarmed At Cyber-Vulnerability Of Power Grid - Forbes.com: "Congress Alarmed At Cyber-Vulnerability Of Power Grid
[...]
"I think we could search far and wide and not find a more disorganized response to a national security issue of this import," said Rep. James Langevin (D-R.I.), chairman of the Subcommittee on Emerging Threats, Cybersecurity and Science and Technology. He pointed a finger to several groups: the DHS for giving scanty details of its video-taped simulation; the power industry for working too slowly to mitigate the threat; and the North American Electric Reliability Corporation, an industry group, for failing in its role as the self-regulatory body assigned to ensure a consistent national power supply. "Everything about the way this vulnerability was handled … leaves me with little confidence that we're ready or willing to deal with the cyber security threat," he said.
The House's criticisms focused primarily on the electric utility industry group, NERC. They argued that the advisories issued by NERC are ineffective and that it has repeatedly misled the House in its investigation of the Aurora vulnerability.
[...]
"I think we could search far and wide and not find a more disorganized response to a national security issue of this import," said Rep. James Langevin (D-R.I.), chairman of the Subcommittee on Emerging Threats, Cybersecurity and Science and Technology. He pointed a finger to several groups: the DHS for giving scanty details of its video-taped simulation; the power industry for working too slowly to mitigate the threat; and the North American Electric Reliability Corporation, an industry group, for failing in its role as the self-regulatory body assigned to ensure a consistent national power supply. "Everything about the way this vulnerability was handled … leaves me with little confidence that we're ready or willing to deal with the cyber security threat," he said.
The House's criticisms focused primarily on the electric utility industry group, NERC. They argued that the advisories issued by NERC are ineffective and that it has repeatedly misled the House in its investigation of the Aurora vulnerability.
Subscribe to:
Posts (Atom)
