Just three days after the head of the Senate Homeland Security Committee requested an investigation into allegations that the nation’s power grid is vulnerable to cyberattack because security regulations are not being followed; the Federal Energy Regulatory Commission (FERC) has begun to look into the matter.
FERC has given the North American Energy Standards Board (NAESB) and companies that issue digital certificates governing secure access to electrical grid systems, one week to report on exactly what they are doing to comply with regulations connected to how those certificates are issued, and how long they remain valid.
The certificates are important because they help establish trust in the communications between devices and power companies. If they are compromised, attackers can circumvent security measures and access a wide variety of systems on the electric grid.
Senate Homeland Security Committee Chairman, Joseph Lieberman (I-CT), and fellow committee member, Senator Susan Collins (R-ME), wrote a letter to FERC earlier this week. It states in part:
These industry-developed standards require that the life span of a certification be no more than 20 years. However, the allegations brought to our attention are that two Authorized Certificate Authorities have been issuing digital certificates with a 30-year lifespan – ten years greater than allowed under FERC regulations.
As these certificates form the foundation for the cybersecurity of the electric grid, it is critically important that their security requirements be enforced to ensure protection against malicious actors.
The FERC order requires the NAESB and Authorized Certification Authorities (ACA) to provide detailed compliance information by July 27th, to “determine the nature of any current practices under these standards, and whether the Commission should propose or recommend any changes in applicable law.” (To read the entire order, click here: 20120720-3019(27447078)).