Security Comments for FERC Policy Draft

As part of a profound effort to "get it right the first time," contributors from across the cyber security and power industries are sharing their recommendations with FERC.  Here's an excerpt from the submission by Jack Danahy, serial security technology patent holder and founder of multiple cyber security companies:

Comment 2: Docket No. PL09-4-000, Page 11, Subsection 14

In the section described as “Cybersecurity and Reliability”, the reference is made back to the EISA and FPA standards, both of which focus attention on disruption as a defining feature of a cybersecurity incident. From the FPA Section 215:

The term `cybersecurity incident' means a malicious act or suspicious event that disrupts, or was an attempt to disrupt, the operation of those programmable electronic devices and communication networks including hardware, software and data that are essential to the reliable operation of the bulk power system.

We know from commercial experience and from recent disclosures regarding incursions into the existing Grid that cybersecurity incidents are often not immediately disruptive. Data theft can provide deep intelligence into Grid logistics and operation, and passive malicious code is frequently left behind for use later as either a hidden inroad or a data egress mechanism. The proposal should be more specific in its own language, and should characterize any unauthorized access to, or modification of, a critical system as a “cybersecurity incident”. Failed attempts in this regard should also be identified, as they can often provide a predictive pattern of behavior in the even of a future incursion. Power disruption may well be the ultimate goal of some of these attacks, but the less obvious damage caused by information leakage and system compromise lay the groundwork for either a more damaging, or more widespread, event in the future.