NERC Acts on Electronic Security Concerns

The North American Electric Reliability Council (NERC) has unveiled a proposed standard that is designed to address security concerns raised by sometimes-aging transmission and distribution computer systems. Member organizations would have through the first quarter of 2004 to follow through on the standard's requirements.

By Staff June 1, 2003

The North American Electric Reliability Council (NERC) has unveiled a proposed standard that is designed to address security concerns raised by sometimes-aging transmission and distribution computer systems. Member organizations would have through the first quarter of 2004 to follow through on the standard’s requirements.

Utility managers have known since at least 1997 that portions of the U.S. and Canadian power grid are vulnerable to attack, according to a report in the electronic newsletter SecurityFocus.com. An assessment that year by the National Security Telecommunications Advisory Committee outlined flaws in computer systems controlling generators, switching stations and electrical substations.

Researchers found that some grid-operational controls were accessible through utilities’ corporate networks. Some circuit breakers could be tripped by anyone who had the right phone number, and remote-access passwords for some equipment hadn’t been changed in years. Little action was taken to correct these issues until the Federal Energy Regulatory Commission threatened government action following the Sept.11 terrorist attacks. The Cyber Security Standard would require utilities to identify vulnerable assets, develop new security policies and initiate training programs. Provisions for compliance monitoring and noncompliance sanctions are also included. Guidelines are intended to be a temporary fix, until a final standard is developed within the next two years.