Agency Aims to Enhance Power Grid Security

     WASHINGTON (CN) - The Federal Energy Regulatory Commission (FERC) has proposed a new rule aimed at preventing cyber security issues from crippling the nation's bulk electric system.
     The proposed Version 5 Critical Infrastructure Protection (CIP) Reliability Standards which pertain to the cyber security of the nation's power grid, adopt new cyber security controls and extend the scope of the systems that are protected by the CIP Reliability Standards.
     The rule would include 12 new cyber security controls that deal with protecting information, training personnel, and providing guidance on incident reports, response planning, recovery plans and vulnerability assessments.
     Under the CIP Electronic Security Perimeter, for example, "responsible entities," such as power plants, are required to implement inbound and outbound network access permissions, and the reason for granting access, FERC said in its proposal.
     "Implementing outbound access permission can prevent malware from reaching out to a command and control system, potentially reducing the effectiveness of the malware. As another example . . . responsible entities must monitor for suspicious inbound and outbound communications at all access points to the Electronic Security Perimeter. Monitoring communications can detect and help prevent malicious code from transferring between networks," the FERC said in its action.
     "Malware," or malicious software, disrupts a computer system's operation, to gain access to private systems and collect sensitive information, according to wisegeek.org.
     "The commission recognizes the ongoing challenge of developing and maintaining meaningful cyber security requirements that set a baseline for protection of the nation's bulk electric system from cyber vulnerabilities. Users, owners and operators of the bulk electric system must adapt to changing threats and cyber technologies to assure the ongoing security of the nation's critical infrastructure," the FERC stated.
     In addition to other rule changes, the CIP version 5 standards require responsible entities to use a new approach to categorize all cyber systems impacting the power grid as having "Low, Medium or High" impact.