[SCADASEC] FERC approves new reliability stand

Tue Feb 12 17:16:44 CST 2008

Hey...it's still worth re-posting, even if it's 'current news'.  ;P

-rad

----- Original Message -----
From: Clint Bodungen [mailto:clint at cidgcorp.com]
To: scadasec at news.infracritical.com
Subject: Re: [SCADASEC] FERC approves new reliability standards for	cyber	security

> This came out last month...
> 
> 
> -----Original Message-----
> From: scadasec-bounces at news.infracritical.com
> [mailto:scadasec-bounces at news.infracritical.com] On Behalf Of Bob
> Radvanovsky
> Sent: Tuesday, February 12, 2008 4:47 PM
> To: scadasec at news.infracritical.com
> Subject: [SCADASEC] FERC approves new reliability standards for cyber
> security
> 
> URL:
> http://uaelp.pennnet.com/display_article/317382/22/ARTCL/none/none/1/FERC-ap
> proves-new-reliability-standards-for-cyber-security/?pc=ENL
> 
> FERC approves new reliability standards for cyber security
> 
> Washington, D.C., Jan. 17, 2008 -- The Federal Energy Regulatory Commission
> (FERC) approved eight new mandatory critical infrastructure protection (CIP)
> reliability standards designed to protect the nation's bulk power system
> against potential disruptions from cyber security breaches.
> 
> The reliability standards were developed by the North American Electric
> Reliability Corporation (NERC), which FERC has designated as the electric
> reliability organization (ERO). 
> 
> "Today we achieve a milestone by adopting the first mandatory and
> enforceable reliability standards that address cyber security concerns on
> the bulk power system in the United States," FERC chairman Joseph T.
> Kelliher said. "The electric industry now can move on to the implementation
> of the standards in conjunction with improvement of these standards in order
> to increase the security and reliability of the bulk power system."
> 
> Additional actions in the final rule direct the ERO to develop modifications
> to these reliability standards, via its reliability standards development
> process, and then submit them to FERC for approval. The modifications
> directed for development concern various oversight and technical issues
> pertaining to cyber protections. These include removal of language that
> allowed variable implementation of standards based on "reasonable business
> judgment" and a new framework of accountability surrounding exceptions based
> on technical feasibility.
> 
> The final rule also directs NERC to monitor the development and
> implementation of cyber security standards by the National Institute of
> Standards and Technology (NIST) to "determine if they contain provisions
> that will protect the Bulk-Power System better than the CIP Reliability
> Standards," FERC said. But FERC did not direct NERC to adopt the NIST
> standards because that could lead to possible delays in putting into place
> any mandatory and enforceable standards.
> 
> The mandatory reliability standards require certain users, owners and
> operators of the bulk power system to establish policies, plans and
> procedures to safeguard physical and electronic access to control systems,
> to train personnel on security matters, to report security incidents, and to
> be prepared to recover from a cyber incident.
> 
> The eight CIP reliability standards address the following topics:
> 
> * Critical Cyber Asset Identification;
> * Security Management Controls;
> * Personnel and Training;
> * Electronic Security Perimeters;
> * Physical Security of Critical Cyber Assets;
> * Systems Security Management;
> * Incident Reporting and Response Planning; and
> * Recovery Plans for Critical Cyber Assets.
> 
> The eight reliability standards were submitted to FERC for approval on Aug.
> 28, 2006. In December 2006, FERC staff issued a preliminary analysis of the
> cyber security reliability standards, and allowed for public comment. On
> July 20, 2007, FERC issued a Notice of Proposed Rulemaking proposing to
> approve the standards, proposing future modifications, and seeking public
> comment.
> 
> The final rule, "Mandatory Reliability Standards for Critical Infrastructure
> Protection," takes effect 60 days from the later of either the date Congress
> receives the agency notice of the rule, or the date the rule is published in
> the Federal Register.
> 
> _______________________________________________
> To unsubscribe from this mailing list, please visit:
> http://news.infracritical.com/mailman/listinfo/scadasec
> 
> To review our privacy statement, please visit:
> http://www.infracritical.com/privacy.html
> 
> scadasec at news.infracritical.com
> http://news.infracritical.com/mailman/listinfo/scadasec
> 
> 
> 
> _______________________________________________
> To unsubscribe from this mailing list, please visit:
> http://news.infracritical.com/mailman/listinfo/scadasec
> 
> To review our privacy statement, please visit:
> http://www.infracritical.com/privacy.html
> 
> scadasec at news.infracritical.com
> http://news.infracritical.com/mailman/listinfo/scadasec
> 