Thursday, March 1, 2012

High Impact Cyber Security Legislation Looming for Utilities

My previous post referenced a recent preliminary report documenting how companies from all sectors are moving slowly to elevate security matters to the CEO and Board of Directors level. And hardly a day goes by where I don't suggest having more than a few empowered CSOs in our industry might start to turn the actual cyber security strategy tide as well as signal a culture change to all the grid's many stakeholders.

Like Congress for example.

Congress in 2011 seemed pretty sure that utilities and their regulators needed a few additional sticks to goad them into tightening up the overall security posture of the grid. That was the GRID Act, and when it passed the House but didn't get a Senate vote, the stage was set for a sequel.

And so here it is: the cross-sector Cybersecurity Act of 2012.

If you're a utility with too much on your plate today what with modernization initiatives, aging workforce and aging equipment issues, PUCs starting to impose new rules on how you handle and protect customer data, NERC CIP version 3 looking like it's going to morph into a much more burdensome version 4 or 5 soon, the last thing you need is another oversight agency asking you to demonstrate compliance with new regulations.

Well, that's exactly what the DHS-centered new act is. And if it passes in anything like its current form, utilities are likely to like it about as much as you'd think they would. According to Jody Westby writing in Forbes ... not much. For example:
With overtones of Sarbanes-Oxley, the bill also requires the owners of these systems to either certify annually to DHS and their sector agency whether they have implemented security measures to satisfy the performance requirements or submit a third-party assessment. Even if a company subject to the provisions of the bill can obtain an exemption by demonstrating that it is sufficiently secured or in compliance with the risk-based performance requirements, it must undergo this process every three years.
I recommend you read her whole Forbes article, take 4 Advil, and call me in the morning. Or better yet, email, if you think Westby is making a mountain out of a legislative molehill. Or vice versa.