Revealed to NERCÂ’s board of trustees and stakeholders in a letter, the plan outlines six specific actions that will lay the foundation for improving grid reliability by enabling faster and more effective action to protect critical assets from cyber or physical threats.
These actions arise from NERCÂ’s recent interaction with various organizations, notably including the House Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology of the House Homeland Security Committee, whose efforts have been instrumental in emphasizing the urgency and priority of this critical issue.
Â“Cyber security is a critical component of grid reliability, but is, by its nature, fundamentally different from any other reliability concern we currently address through our standards, analysis, or enforcement programs,Â” commented Rick Sergel, president and CEO of NERC. Â“It therefore requires a different approach; one that allows for more expedient treatment of critical information, urgent action on standards, and more thorough threat analysis and risk assessment.Â”
Â“As the Electric Reliability Organization in the U.S. and home to the Electric Sector Information Sharing and Analysis Center (ES-ISAC), we are seeking to enhance and focus our existing efforts by putting the organizational structure in place to better support a more comprehensive treatment of these critical issues,Â” he continued. Â“One of our key initiatives in this area is the recent formation of the Electric Sector Steering Group (ESSG), comprised of five industry chief executives, a NERC board member, and of which I am the Chairman. The group will be instrumental in guiding NERC as we execute the plans announced today.Â”
Commenting on todayÂ’s announcement, Barry Lawson, Chair of NERCÂ’s Critical Infrastructure Protection Committee (CIPC), stated Â“NERCÂ’s ongoing efforts to improve its ability to respond quickly and efficiently to cyber and physical security threats are critically important to reliability of the bulk power system and the CIPC continues to be supportive of their successful execution.Â”
Specific actions, as detailed in the letter, include:
Increasing NERC Expertise on Critical Infrastructure Protection and Cyber Security Â— NERC will formally establish the Critical Infrastructure Protection program as one of NERCÂ’s program functions, alongside existing standards development, compliance and enforcement, and reliability assessment program areas. The establishment of this program will include the staffing of a Chief Security Officer position, who will serve as the single point of contact for the industry, the ESSG, and government regulators and stakeholders seeking to communicate with NERC on cyber and infrastructure security matters.
Consider Alternative Standard Setting Process for Cyber Security Standards Â—NERC will establish a task force to review, and where appropriate recommend, a standard setting process for cyber security that will include an emergency/crisis standards setting process. This process must provide a level of due process and technical review, but also provide the speed necessary to establish standards quickly and respond seamlessly to government agencies in the U.S. and Canada.
Expedited Review of Existing Cyber Standards Â—Working through the Standards Committee, NERC also seeks to accelerate the comprehensive review of its eight existing critical infrastructure protection standards to fully incorporate the directives from FERC, including the consideration of the extent to which elements of the National Institute of Standards and Technology (NIST) standards should be incorporated therein or within new standards.
Facilitate Joint Collaboration on Cyber Security Â— NERC, working with the Federal Energy Regulatory Commission in the U.S. and relevant governmental authorities in Canada, will organize a briefing for the ESSG, the NERC CEO, and senior level utility executives across all stakeholder groups on cyber security threats.