In the cyber world last week, there was a lot of OMG-ing after the Wall Street Journal published its article about cyber-spies having hacked into the US power system and left software systems behind in it. The cybersecurity world was underwhelmed.
IT and cybersecurity-expert bloggers, some of whom follow security of the power system along with numerous other systems, observed that power grid vulnerability is hardly news. Real, yes, but not more real last week than last year or the year before, when it was big public news too, after a project of Homeland Security and other groups destroyed a generating unit by computer manipulation. One web site cited another's suggestion that the Journal story could have been planted by people eager to get Congress cracking on a cybersecurity bill:
"There's no coordinated conspiracy here, but there are a lot of government officials who stand to gain by this attempt at drastically increasing government control over the Internet," Robert Graham, CEO of Errata Security, stated earlier this week. "They will certain call up reporters they know and attempt to get them to write scare stories precisely like this."
Others -- interestingly, Representative Ed Markey was mostly in this camp -- focused more on what the cybersecurity chief at the North American Electric Reliability Corp. had done just before the Journal published its story. NERC's Michael Assante had sent NERC-registered entities a letter pretty much laying down the law to them, in somewhat bureaucratic language. Most entities had failed to identify critical infrastructure that maybe should be identified, he said -- and they needed to take it much more seriously.
Markey wrote to the Federal Energy Regulatory Commission with a lot of questions about the critical infrastructure protection standards the industry is supposed to have implemented. He also asked if FERC had the authority it needed to ensure the safety of the grid.
At NERC, the only comment was to the effect that the organization and the industry are fully aware of the cyber risks and are being vigilant. But the organization released Assante's letter publicly and just a bit before the newspaper article came out, clearly conscious that it had to get out in front. To at least some in the cyber world, the very presence of Assante at NERC had already been providing some confidence that things are going in the right direction. In late March, This Week in Security wrote about how he was pressing NERC's program forward. Last week Digital Bond wrote of Assante "throwing down the gauntlet" on critical infrastructure requirements, calling Assante's letter a turning point for them.
Last August, when NERC announced it was hiring Assante from the Idaho National Lab (he had been at American Electric Power before that), one organization reproduced the news release with just one comment: "NERC gets it."
Leave a comment