Protecting power grid seen as a slow process
It’s been a year since a sagging high voltage line in Ohio cascaded into a power failure that plunged 50 million people in eight states and a Canadian province into darkness. Since then, efforts to protect the power grid against computer-based threats have proceeded slowly. The North American Electric Reliability Council (NERC) — the not-for-profit industry group responsible for keeping electricity flowing throughout the United States and Canada — has released a list of measures to shore up electric grid reliability in the year since the Aug. 14, 2003 blackout. Topping the cybersecurity portion of the list, the council recently voted to renew for one year a set of rules called the Urgent Action Cyber Security Standard 1200, setting minimum cybersecurity requirements for utility companies in the U.S. and Canada. But that standard — by coincidence enacted the day before the blackout — is relatively small in scope: It applies only to utility control centers, and specifically exempts substations, power plants, and the remotely operated control systems and relays sprinkled throughout the grid. “It doesn’t go far enough,” Tom Kropp, manager of enterprise information security at the Electric Power Research Institute, told SecurityFocus. “It is very, very limited in what it applies to.”