Learning Center
Plans & pricing Sign in
Sign Out




More Info



38   PEC
                                                                                                          POWER & ENERGY CONTINUITY

                                                  aimed at enhancing partnerships with                RAISING AWARENESS
                                                  government agencies, establishing cross-                 One of the earliest NERC-led CIP
                                                  sector communications, and protecting               initiatives was the formation of an
                                                  critical assets.                                    Information Sharing and Analysis Center for
                                                                                                      the electricity sector (ES-ISAC). The ES-
                                                  BUILDING PARTNERSHIPS                               ISAC facilitates information sharing about
                                                       Protecting our critical infrastructure         vulnerabilities, threats and incidents
                                                  demands cooperation and coordination                between asset owners in the sector and
                                                  between the public and private sectors. Only        their public partners, including DHS, DOE
                                                  by working together can we fully understand         and the FBI. Working closely with the FBI’s
                                                  our threat environment, understand the              National Infrastructure Protection Center –
                                                  complicated interdependencies between               now part of DHS – NERC created the
by Lynn Costantini, CIO, North                    and among critical infrastructures, and have        Indications, Analysis, and Warnings (IAW)
American Electric Reliability Council             meaningful information exchanges.                   Program, the core around which the ES-
                                                       For these reasons, NERC has built close        ISAC operation was built.
                                                  working relationships with the DOE, the                  The voluntary IAW program provides a
        he bulk electric power grid in North      Federal Energy Regulatory Commission                standardized incident report format for

T       America spans hundreds of
        thousands of miles, is operated by
hundreds of individual entities, and is relied
                                                  (FERC), the Federal Bureau of Investigation
                                                  (FBI), and Canada’s Public Safety and
                                                  Emergency Preparedness office. These
                                                                                                      sector participants to report physical and
                                                                                                      cyber threats and vulnerabilities to the ES-
                                                                                                      ISAC and to DHS. It provides reporting
upon by millions of people. Unquestionably,       relationships have provided significant benefits    criteria and thresholds as well. Some of
the electricity infrastructure is a critical      to the electricity sector in the area of critical   the reportable incidents identified in the
infrastructure. But, as the blackout on 14        infrastructure protection.                          IAW include:
August 2004, reminded us, the grid is not              In 2002, the US government centralized
failure-proof. It is vulnerable to a spectrum     authority and responsibility for CIP under the      • Loss of major electrical facilities deemed
of threats ranging from human error to            newly formed Department of Homeland                   to be malicious or possibly malicious
natural disasters to terrorists intent on doing   Security (DHS). NERC is now forging a               • Intelligence gathering (people asking
us harm. Defending our electric                   relationship with DHS, working to clarify             explicit questions about operations,
infrastructure against all of these threats is    roles and responsibilities and build trust.           software, telecommunications, etc.)
an international imperative.
     The idea of protecting the electricity
infrastructure is not new. The industry has
a long-standing tradition of working
together to ‘keep the lights on’. The North
American Electric Reliability Council
(NERC) has been coordinating industry
activities to ensure the reliability of the
bulk electric grid since 1968.

     In 1998, the US Department of Energy
(DOE) selected NERC to coordinate the
electricity sector’s critical infrastructure
protection (CIP) activities. This function is
vital to ensuring that the electric industry in
North America speaks about security with
one voice and acts in a coordinated manner.
     In its role as sector coordinator, NERC
spearheads a broad range of activities

                                                                                                                                       PEC           39

• Unauthorized physical surveillance            the electric infrastructure systems.
• Planted code in software used for                 Two themes run through these guidelines:
  operating systems or market operations
• Intrusions into computer systems used to      • Plans should not be kept on a shelf. They
  operate the electric system or markets          must be reviewed and tested on a regular
• Threats to security, software, operations       basis and revised as necessary.
  and physical facilities                       • Personnel should know about the plans.
                                                  Security awareness training helps
     Analysts within DHS merge the incident       personnel fully understand their role and
reports with other intelligence and law           responsibilities in protecting the
enforcement information and examine it for        organization against its perceived
trends. Should DHS determine that a threat        spectrum of threats and, as such, is an
to the electricity infrastructure exists, it      essential ingredient of a successful
sends a warning to the industry through the       security program.
ES-ISAC and other channels.
     Since its inception, the ES-ISAC has           Moreover, these guidelines will evolve as
received many incident reports from asset       the threats and challenges to the electric
owners and sent indications and warning

messages from DHS back to the industry.
     NERC also participates in the ISAC
Council, an organization that brings together
11 critical infrastructure industry ISACs for
the purpose of cross-sector information                   NERC spearheads a broad range of
sharing. Council activities include
establishing and maintaining policies for
                                                         activities aimed at enhancing partnerships
inter-ISAC coordination and protocols for                with government agencies, establishing
data and information exchange.
                                                         cross-sector communications, and
                                                         protecting critical assets

     Ultimately, protecting the electricity
infrastructure is about detailed
preparedness, mitigation and restoration        infrastructure and the tools used to meet              that, when taken together, comprise a sound
planning. Through NERC, the industry has        those threats and challenges evolve.                   cyber security program. They include assigning
undertaken the following initiatives to                                                                executive oversight responsibilities; performing
support these planning efforts.                 Cyber security standard                                thorough assessments of existing cyber
                                                     The US government made cyber security a           security; implementing appropriate, technically
Security guidelines                             priority for critical infrastructure industries in     feasible improvements; and writing business
    Working with NERC, the electric             February 2003 when it released the ‘National           continuity plans.
industry has developed a comprehensive          Strategy to Secure Cyberspace’. The electricity             NERC expects other security guidelines
set of guidelines for identifying and           industry responded and, in June 2003, NERC             will evolve into security standards. The
protecting its critical assets. The             Standard 1200 – Cyber Security was approved.           industry will dictate the timing, based on the
guidelines cover topics ranging from                 Created using NERC’s new consensus-               threats to the infrastructure and the
vulnerability and risk assessment, to threat    based standards development process, the               identification of new vulnerabilities.
response, to physical and cyber security,       goal of the Cyber Security Standard is to
to emergency management and business            reduce risks to the reliability of the bulk electric   Public key infrastructure
continuity, and more. Together, they            systems from any compromise of critical cyber             Reliance on computer-based systems
describe general approaches,                    assets (computers, software and                        and applications to ensure reliability and to
considerations, practices, and planning         communication networks) that support those             support deregulated energy markets is
philosophies to be applied in protecting        systems. The standard defines 16 requirements          growing, as is the need to protect these

40     PEC

systems and the people who use them. To
meet this need, NERC is facilitating the
industry’s efforts to design and implement a
‘public key infrastructure’ (PKI).
    PKI delivers security services – privacy,
authentication, integrity and non-repudiation
– across increasingly insecure networks
such as the internet using a technique called
public key cryptography. A pair of
mathematically related values (cryptographic
keys) is randomly generated. One key is
kept private and the other ‘public key’
embedded into a digital certificate. The
certificate can be used to verify the holder’s
identity, much like a passport, or to encrypt
and decrypt electronic transactions.
    PKI will provide a robust security
environment in which electric industry
participants can conduct business with
trusted partners. Uniform implementation
across the infrastructure, driven by a
common set of policy requirements, will
allow end-users to present a single set of
trusted credentials across a wide variety of
applications, reduce administrative burden,
and enjoy the same security benefits
regardless of the transaction.
                                                   Meanwhile, NERC is working closely with its                     building the relationships necessary for this
Critical spares                                    government partners to identify research                        coordination to take place.
     In 1989, the FBI asked NERC to identify       and development needs for the electric                               Within the industry, NERC is
and locate certain equipment that may be           industry to advance the security of the                         committed to facilitating initiatives to
available in the event of a terrorist attack       infrastructure well into the future.                            identify vulnerabilities and create effective
against an electric system. In response,                                                                           protection strategies to deter and mitigate
NERC built its spare equipment database.           CONCLUSIONS                                                     attacks against the electricity
That database has recently been expanded                 In the post 9/11 world, critical infrastructure           infrastructure. NERC operates the ES-
to include additional components deemed            protection is clearly a high priority. To be                    ISAC to ensure timely information
critical to the restoration of electric systems.   effective, CIP activities must be coordinated                   exchanges concerning infrastructure
NERC is pursuing other initiatives to ensure       within critical infrastructure sectors, across                  incidents, threats and warnings.
rapid recovery of the sector in the event of a     critical infrastructure sectors, and with                            These CIP efforts, being replicated in
terrorist attack. Among these initiatives are      government partners. It is also imperative that                 critical infrastructure industries across
terrorist-attack response strategies,              critical infrastructure industries identify and                 North America, will indeed help to protect
standardized designs for critical equipment,       mitigate vulnerabilities to the best of their                   the national economies of the United
and consideration of an industry-wide              abilities. NERC, as the designated electricity                  States and Canada, and the well-being of
‘Strategic Equipment Pool’.                        sector coordinator, is committed to continue                    all their citizens. s
     Numerous other CIP-related activities
are underway in areas such as supervisory
control and data acquisition (SCADA)                    Lynn Costantini joined NERC in 1983, where she has held a variety of positions, including Director of the
                                                        Generating Availability Data System and Director – Information Technology. As CIO, Costantini is responsible for
system security, high-altitude                          ensuring NERC’s information assets and the environment in which they operate are secure. She and her team
                                                        also develop and maintain systems used by the electric industry to monitor system conditions in near real-time.
electromagnetic pulse, and computer
system intrusion detection and protection.

41      PEC

To top