Reliability Standards Proposed for Cyber Security in the Bulk Power System
A set of reliability standards to help safeguard the U.S. bulk electric power supply system against potential disruptions from cyber attacks was recently proposed by the Federal Energy Regulatory Commission (FERC).
A set of reliability standards to help safeguard the U.S. bulk electric power supply system against potential disruptions from cyber attacks was recently proposed by the
Federal Energy Regulatory Commission (FERC).
The North American Electric Reliability Corporation (NERC) developed the proposed reliability standards and submitted them to FERC for approval on August 28, 2006.
The proposed standards require certain users, owners and operators of the grid to establish plans, protocols and controls to safeguard physical and electronic access to systems, to train personnel on security matters, to report security incidents, and to be prepared to recover information.
FERC seeks industry comment on the following eight Critical Infrastructure Protection standards:
- Critical Cyber Asset Identification: Requires the identification of an entity’s critical assets and critical cyber assets using a risk-based assessment methodology.
- Security Management Controls: Requires an entity to develop and implement security management controls to protect critical cyber assets.
- Personnel and Training: Requires personnel with access to critical cyber assets go through identity verification, criminal background checks and employee training.
- Electronic Security Perimeters: Requires the identification and protection of an electronic security perimeter and access points. The security perimeter is to encompass the critical cyber assets.
- Physical Security of Critical Cyber Assets: Requires the creation and maintenance of a physical security plan that ensures all cyber assets within an electronic security perimeter are kept in an identified physical security perimeter.
- Systems Security Management: Requires an entity to define methods, processes, and procedures for securing the systems identified as critical cyber assets, as well as the non-critical cyber assets within the perimeter.
- Incident Reporting and Response Planning: Requires the identification, classification and reporting of cyber security incidents related to critical cyber assets.
- Recovery Plans for Critical Cyber Assets: Requires the establishment of recovery plans for critical cyber assets using established business continuity and disaster recovery techniques and practices.
Related Topics:
