skip to Main Content
President Obama issues Exec. Order on Critical Infrastructure Cybersecurity
February 13, 2013

President Obama issues Exec. Order on Critical Infrastructure Cybersecurity

Citing “repeated cyber intrusions into critical infrastructure,” President Obama has issued an Executive Order on Improving Critical Infrastructure Cybersecurity. The Order states that “the cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront.” The Order seeks to improve the cybersecurity of Critical Infrastructures in the U.S. through improved communication and coordination with the private sector, directs the National Institute of Standards and Technology (NIST) to develop a comprehensive “Cybersecurity Framework” to reduce cyber risks to critical infrastructure, and creates a  voluntary Critical Infrastructure Cybersecurity Program.

The order:

  • defines Critical Infrastructure as  “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”
  • calls for increased policy coordination and information sharing across governmental agencies and with businesses.
  • tasks the Dept of Justice with establishing procedures to expand the Enhanced Cybersecurity Services program to all critical infrastructure sectors. This voluntary information sharing program will provide classified cyber threat and technical information from the Government to eligible critical infrastructure companies or commercial service providers
  • seeks to “expedite the processing of security clearances to appropriate personnel employed by critical infrastructure owners and operators.” Addressing a concern that has been repeatedly brought up by NERC, EEI, and others in the electric industry.
  • Directs the Department of Homeland Security to expand the use of programs that bring private sector subject-matter experts into Federal service on a temporary basis “to maximize the utility of cyber threat information sharing with the private sector.”
  • seeks “to establish a consultative process a consultative process to coordinate improvements to the cybersecurity of critical infrastructure.” .

The order also calls for NIST to develop a Cybersecurity Framework. This Cybersecurity Framework shall:

  • seek to reduce cyber risks to critical infrastructures
  • include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address
  • incorporate voluntary consensus standards and industry best practices to the fullest extent possible
  • provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk
  • focus on identifying cross-sector security standards and guidelines applicable to critical infrastructure
  • provide guidance that is technology neutral and that enables critical infrastructure sectors to benefit from a competitive market for products and services that meet the standards, methodologies, procedures, and processes developed to address cyber risks
  • include guidance for measuring the performance of an entity in implementing the Cybersecurity Framework
  • and be open to a public review and comment process.”

One of the more controversial portions of the order is Section 8. Section 8 establishes a Voluntary Critical Infrastructure Cybersecurity Program that will devise a set of incentives to encourage private sector participation. The DHS in coordination with Sector-Specific Agencies, is to establish this program to support the adoption of the Cybersecurity Framework by owners and operators of critical infrastructure and any other interested entities. Other Sector-Specific Agencies, in consultation with DHS and the Sector Coordinating Councils to review the Cybersecurity Framework and, if necessary, develop implementation guidance or supplemental materials to address sector-specific risks and operating environments.

The DHS, DOD, and GSA are also directed to review procurement rules to assess “the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration.”

DHS will is directed to determine the Identification of Critical Infrastructure at the Greatest Risk

  • using a risk-based approach to identify critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.”
  • DHS is to “apply consistent, objective criteria in identifying such critical infrastructure without identifying any commercial information technology products or consumer information technology services.”
  • Owners of such infrastructure will be confidentially notified and will be provided the basis for the determination

Finally, within 2 years after publication of the final Cybersecurity Framework DHS and other responsible agencies shall, in consultation with owners and operators of critical infrastructure, report to OMB on any critical infrastructure subject to ineffective, conflicting, or excessively burdensome cybersecurity requirements. This report shall describe efforts made by agencies, and make recommendations for further actions, to minimize or eliminate such requirements.

The Executive Order can be found here http://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity

NERC’s Statement about the order is available athttp://www.nerc.com/fileUploads/File/News/EO%20Response%2013FEB13.docx.pdf

NBC News high-level summary http://www.nbcnews.com/technology/technolog/new-rules-cybersecurity-obamas-executive-order-explained-1C8349895

GridSME to prepare study for Lawrence Berkeley National Labaratory/DOE
January 23, 2013

GridSME to prepare study for Lawrence Berkeley National Labaratory/DOE

LBNL-Logo

The Department of Energy’s Lawrence Berkeley National Laboratory (LBNL) has reached out to GridSME to prepare a study that looks at the current state of grid control processes and technologies and will suggest how to improve electric grid control systems to maintain or increase reliability and advance the integration of new technologies particularly in the West.

GridSME is thrilled to partner with LBNL and looks forward to digging deeper into these issues. This project represents another demonstration of how GridSME is fulfilling its mission of Facilitating Change in Our Industry.

Background:

Numerous studies and reports have been generated which try to define best practices in both technologies and processes. That the Western Interconnection needs to make more widespread use of these new and existing technologies and practices is well known. Since the August 14, 2003 Northeast blackout, there have been numerous studies, surveys, and research into the causes of grid instability, separation, and cascading outages and proposed fixes to those problems. Technological changes, like the addition of large amounts of renewable energy require entities to better adapt to variable generation and increase transmission flexibility. As the San Diego outage on September 8, 2011 indicated, even with all the information on benefits, reliability improvements, standards and best practices, there still are gaps in adoption of these systems and practices with utilities in the Western Interconnection. To allow the current western grid infrastructure to be used more effectively, reliably, and flexibly, entities need to redouble their efforts relating to these initiatives.

Back To Top