Michael Assante,
Vice President
& Chief Security
Officer, NERC
 
Princeton, NJ, U.S.A. — (METERING.COM) — May 7, 2009 – Eight revised cyber security standards for the North American bulk power system have been approved by the North American Electric Reliability Corporation’s (NERC) independent Board of Trustees.

The action represents the completion of phase one of NERC’s cyber security standards revision work plan which was launched in July 2008. Work continues on phase two of the revision plan, with version three standards already under development.

The standards are comprised of approximately 40 “good housekeeping” requirements designed to lay a solid foundation of sound security practices that, if properly implemented, will develop the capabilities needed to secure critical infrastructure from cyber security threats.

Areas covered by the standards are critical cyber asset identification, security management controls, personnel and training, electronic security perimeter(s), physical security, systems security management, incident reporting and response planning, and recovery plans for critical cyber assets.

The revisions begin to address concerns raised by the Federal Energy Regulatory Commission in its Order No. 706, in which it conditionally approved the standards currently in effect. The revisions notably include the removal of the term “reasonable business judgment” from the standards.

Entities found in violation of the standards can be fined up to $1 million per day, per violation in the U.S., with other enforcement provisions in place throughout much of Canada. Audits for compliance with 13 requirements in the cyber security standards currently in effect will begin on July 1, 2009.

“The approval of these revisions is evidence that NERC’s industry driven standards development process is producing results, with the aim of developing a strong foundation for the cyber security of the electric grid,” commented Michael Assante, vice president and chief security officer at NERC.

“It’s important to note, however, that these standards are not designed to address specific, imminent cyber security threats,” he continued. “We firmly believe carefully crafted emergency authority is needed at the government level to address this gap.”