Now that the power sector and electrical utilities are going public with their acceptance of converged standards, other sectors may not be far behind. Some of the regulated critical infrastructure sectors have been working towards an industry wide set of controls that must be implemented and audited. Who will be next?
The North American Electric Reliability Council's new cybersecurity standards for critical infrastructure protection have eight categories, which apply utility risk management analyses to networked systems. A thumbnail description of the main areas:
- Critical cyberassets
- Security Management Controls
- Personnel and training
- Electronic security
- Physical security
- Systems Security Management
- Incident Reporting and Response Planning
- Recovery plan
You can bet that the drafting team has pulled their language from many of the standards that have already been in practice for years. In fact, most of the launch point for this effort came from work done soon after 9/11. How soon other industry sectors decide to adopt this framework will likely be decided by the lobby shops. Politics aside, the electric utility sector has moved into a phase of self-regulation and for good reason.
The huge blackout of Aug. 14, 2003, in which a software glitch at a single electrical provider in Ohio cascaded into an event in which 50 million people in North America lost power, underscored the importance of the reliability standards discussion. But Miserendino says that the group's biggest motivator was the threat that FERC might come in and do the regulating for it. In part, he says, that's because the 2005 Energy Act made FERC responsible for electrical transmission reliability and gave the federal agency the ability to fine utilities for noncompliance.
We can only hope that other Critical Infrastructure sectors take the same initiative sooner than later. As private enterprises, you can do it your way now or face the governments perspective later.