FERC Creates Office to Address Cyber-Security Threats to Energy Sector
The Federal Energy Regulatory Commission (FERC) has created an office to address both physical and cyber-threats to energy facilities.
The new Office of Energy Infrastructure Security (OEIS) will be inside FERC and be used to help the commission identify, communicate and address potential risks to facilities under FERC jurisdiction, such as oil, electric and gas companies.
According to the commission, the office will participate in intelligence-related collaboration efforts such as workshops and classified briefings with industry representatives and federal and state agencies, as well as conduct outreach with the private sector regarding security issues.
Such collaboration has been problematic in the area of cyber-security, and has been the subject of legislative attempts to improve information sharing between industry and government.
"Creating this office allows FERC to leverage its existing resources with those of other government agencies and private industry in a coordinated, focused manner," FERC Chairman Jon Wellinghoff said in a statement. "Effective mitigation of cyber and other physical attacks requires rapid interactions among regulators, industry and federal and state agencies."
Earlier this year, a survey of 104 security professionals in the energy sector revealed that many were skeptical about the security of the smart grid. According to the survey, which was sponsored by nCircle and the Energy Sector Security Consortium (EnergySec), 61 percent of respondents said smart meter installations do not have sufficient security controls to protect against false data injection. Seventy-five percent said security had not been sufficiently addressed in smart grid deployment.
Lila Kee, GlobalSign chief product officer and Executive Committee member for the North American Energy Standards Board (NAESB) Wholesale Electric Quadrant (WEQ), said the energy sector is a critical target for any organization seeking to disrupt life in the U.S.
“There are systems and applications used by energy providers to perform transactions such as trading that although vital and accessible on the Internet, don’t play a direct role in controlling or supporting electric reliability and delivery to end users," she said in a statement. "It is important for government, private enterprise and the public in general to understand the differences. This will ensure that resources are allocated appropriately in the effort to strengthen the security of the grid and systems used for business transactions.”
The announcement about the office comes as the White House considers issuing an executive order on cyber-security, which Department of Homeland Security Secretary Janet Napolitano said last week was nearing completion. The executive order follows the failure of the Cybersecurity Act of 2012 in the Senate last month.
"My guess is the White House is looking to do something in cyber-security," said Anup Ghosh, CEO of Invincea. "Threatening to sign an executive order might be one way of getting Congress to act on the legislation that has been kicked down the road time and again. I'm not sure anything substantive related to cyber-security will come from the threatened Executive Order. However, if it is enough to scare critical infrastructures to invest in new cyber-security approaches that [match] the threat, then that will be a positive outcome."