Obama eyes cybersecurity order
In the aftermath of the failed attempt to pass federal cyber security legislation through Congress last month, the White House is preparing to issue an Executive Order to help protect the country's critical infrastructure from dangerous attacks.
Senator Susan Collins, who co-sponsored the proposed legislation with Senator Joe Lieberman, has also continued to press the issue, advocating for stiffer laws and regulations to protect critical U.S. infrastructure from attacks. The bill would have created voluntary cyber security guidelines for critical infrastructure systems, including utilities and smart grid companies. But opinions varied widely on whether the bill would be effective or would be too burdensome for businesses to implement, and it failed to win Senate approval.
Pushing for national cyber security policy
Now, recognizing a stubbornness and reluctance of Congress to act on what it views as key agenda items, the Obama administration is prepared to take cyber security matters into its own hands. Executive orders have the full force of law and are generally controversial, as they can be used to implement policy without congressional consent.
Similar to the intent of the Lieberman-Collins bill, the order would allow federal agencies (headed by the Department of Homeland Security) to suggest security best practices for critical infrastructure as well as create federal agencies to evaluate cyber threats, according to a review of the document by the Associated Press.
An issue for nearly a quarter century, cyber security protection will become increasingly important as the smart grid continues its expansion, which in turn raises the chances for security holes opening the door for attacks and hacks.
The Executive Order was confirmed in a letter released Friday by John Brennan, assistant to the President for homeland security and counter terrorism.
"Following congressional inaction, the President is determined to use existing executive branch authorities to protect our nation against cyber threats," Brennan wrote.
In a statement to the Washington Post, Senator Collins noted that an Executive Order should not be a replacement for legislative action, saying "An executive order could send the unintended signal that congressional action is not urgently needed."
Providing guidance for utilities
An issue for nearly a quarter century, cyber security protection will become increasingly important as the smart grid continues its expansion, which in turn raises the chances for security holes opening the door for attacks and hacks. This growth was confirmed in a report released Monday by energy research firm GlobalData. It projects that the global smart grid cyber security market will climb to more than $79 billion by 2020 and grow at a Combined Annual Growth rate of 20 percent.
What's more, it remains a mixed bag in terms of utilities' level of concern over cyber security, according to Bob Lockhart, senior research analyst with Pike Research.
"The education level of utilities is equally all over the block," he said. "When you have an interconnected grid, the problem is that as long as their are weaknesses somewhere, there are weaknesses everywhere."
Although the bulk power supply is already subjected to NERC CIP security standards, national scale guidance can help utility companies and smart grid stakeholders simplify and prioritize the cyber security process. It would also provide regulation for power distribution and the smart grid at the local level, and help utilities target funding and spending.
"The problem is that, in the absence of standards, utilities aren't sure what to buy," Lockhart said.
Along these same lines, the U.S. Department of Energy in June launched its Cybersecurity Capability Maturity Model as another method to help utilities fortify reliability and protect the grid.
The sticking point remains that, however valuable a national cyber security policy may (or may not) be, wide-sweeping regulation is likely to be difficult to implement given the highly regulated U.S. energy market and the overlapping oversight and standards of NERC, FERC, NIST, IEEE and others. The Executive Order would not require extra compliance from companies that are already meeting the suggested cyber security requirements.
Brennan concluded his letter saying that, "the companies driving cyber security innovations in their current practices and planned initiatives should help shape best practices across critical infrastructure."