FERC seeks more info on security efforts at energy firms

The Federal Energy Regulatory Commission (FERC) plans to step up its oversight of cybersecurity at energy companies. In a new plan submitted to the Office of Management and Budget Dec. 7, FERC proposed requiring energy companies to provide much more detailed reports on the security of their systems and their mitigation efforts. “The Commission believes that the information that will be requested is critical to ensuring that appropriate mitigation of this potential cyber vulnerability is put in place and that it is put in place as quickly as possible,” FERC’s proposed information collection and request for comments document states. The new order would affect generator and transmission owners and operators registered by the North American Electric Reliability Corporation (NERC), which operates the electricity grid in North America. The order affects approximately 1,150 companies at a total cost of $1.21 million, FERC said. Under current rules, companies report the status of mitigation plans as either complete, in progress or not performing. FERC now wants a copy of the owner or operator’s plan to address a particular vulnerability, including both short- and long-term measures, the measures already taken and an explanation of how those plans will address the problem. If the owner or operator doesn’t believe action should be taken, they must explain why. FERC said the order was spurred by a March 2007 experiment run by the Idaho National Laboratory that demonstrated the potential damage that could result from a cyberattack on the energy infrastructure. A video released by the Homeland Security Department showed hackers overheating power turbines and causing a diesel generator to explode. FERC's current oversight strategy “did not provide the level of standard, mandatory protection required,” said Greg Wilshusen, director of information security issues at the Government Accountability Office, speaking at an October hearing about the demonstration.