Nearly eight months ago the Defense Tech contributors from Technolytics and Spy Ops covered a CIA presentation that disclosed to 300 U.S. and foreign government officials, engineers and security managers from the critical infrastructure sectors (gas, oil and electricity asset owners) that they had intelligence from multiple regions outside the United States of cyber intrusions into utilities followed by extortion demands.
On the heels of this announcement, the Federal Energy Regulatory Commission (FERC) approved a final set of security standards designed to protect the United States electric grid against a cyber attack.
The eight security standards include:
1. Critical cyber asset identification2. Security management controls3. Personnel and training4. Electronic security perimeters5. Physical security of critical cyber assets6. System security management7. Incident reporting and response planning8. Recovery plans for critical cyber assets
Back in May the Government Accountability Office's assessment and report found that the Tennessee Valley Authority is vulnerable to cyber attacks that could sabotage critical systems. TVA is the nation's largest public power company that provides electricity to 159 local distributors that serve 8.8 million people and 650,000 businesses and industries in a seven-state area. The 62 page report cited one reason for the concern is that TVA had not consistently implemented significant elements of its information security program. The report was requested by a House Homeland Security panel on cyber security.
The potential for cyber security attacks on our nation's electric power grid has spurred politicians to consider legislation to broaden federal authority over electric companies. The steadily increasing risks have caused Congress to consult with federal agencies and industry associations on how to craft such legislation. Just recently, legislators sought further input at a hearing before the House Energy and Commerce's subcommittee on energy and air quality.
It has been eight months since this risk was openly disclosed to the public along with evidence that cyber attacks caused power outages in at least three countries. One would think that something as critical as the power grid's security and integrity demands would receive much more expedient attention. It is only a matter of time until a successful cyber attack on our infrastructure occurs and time is running out. With every tick of the clock we get that much closer to a significant cyber attack incident.