By: Sandra Zegarra, Associate

            As the United States’ power infrastructure transitions from the current electric grid to the Smart Grid, an assortment of new security and reliability concerns, notably in the cyber security arena, have been introduced.[1] Although the objective of the Smart Grid includes heightened security, the implementation of supplementary technologies such as smart meters, sensors, and advanced networks present new vulnerabilities.[2]

In order to address these cyber security concerns, in February 2014 the Obama administration released voluntary cybersecurity guidelines for the nation’s critical infrastructure systems, framing them as a standardized foundation that companies and organizations can implement in an effort to secure their networks against online intrusions and other cyber threats.[3] The framework originates from President Obama’s Executive Order 13636 – Improving Critical Infrastructure Cybersecurity – issued in 2013, which directed the National Institute of Standards and Technology (NIST) to work with the private sector, which owns and operates over 85 percent of the nation’s critical infrastructure, to develop a set of guidelines and best practices to reduce cyber risks.[4] The guidelines lay out processes and procedures that companies can take to improve security, such as investing in protective technology for their networks, however, they don’t include incentives to participate.[5] Although the guidelines are voluntary, the administration had hoped that companies would sign on to them out of self-interest.[6]

In August 2014, NIST requested feedback from the private sector owners and operators of critical infrastructure to gain understanding of organizations’ awareness and experiences with the framework, as well as how officials might improve the voluntary guidelines in future versions.[7] Although the vast majority of responses came from tech companies and industry associations, there were several government agencies and energy companies among the organizations that provided feedback on the framework.[8] Sempra Energy, a gas and electric utilities, which includes San Diego Gas and Electric (SDG&E) and Southern California Gas Company (SoCalGas), said it was already held to more stringent standards elsewhere (DOE, FERC, and NERC) and that it collaborates with private sector experts and government entities to ensure that it meets or exceeds industry expectations.[9] In its response, the Department of Energy stated that it would continue to reach out to state and local regulators and policymakers to increase their awareness of the Cybersecurity Framework and the current public and private efforts to develop sector-specific guidelines for the Framework’s use.[10]

Overall, most of the organizations said the framework had been influential and useful in raising awareness of best practices in cybersecurity risk management. [11] So it seems that the Executive Order for Improving Critical Infrastructure Cybersecurity has been beneficial, even if only in raising awareness.

[1] Charles Ebinger and Kevin Massy, Software and Hard Targets: Enhancing Smart Grid Cyber Security in the Age of Information Warfare 1 (Brookings Energy Security Initiative, Feb. 2011), http://www.brookings.edu/~/media/research/files/papers/2011/2/smart%20grid%20ebinger/02_smart_grid_ebinger.pdf. The cyber security of the Smart Grid refers to the exploitation of vulnerabilities in the grid through the internet for the purpose of disrupting the normal operation of the power delivery system. Id. at 5.

[2] U.S. D.O.E. Office of Electricity Delivery and Energy Reliability, Study of Security Attributes of Smart Grid Systems—Current Cyber Security Issues 12 (National SCADA Test Bed, Apr. 2009), http://www.inl.gov/scada/publications/d/securing_the_smart_grid_current_issues.pdf.

[3] National Institute of Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity (Version 1.0, Feb. 2014).

[4] Improving Critical Infrastructure Cybersecurity, Exec. Order No. 13636, 78 Fed. Reg. 33 (Feb. 12, 2013); Dan Verton, Tech Firms, Associations Lead Response to Cybersecurity Framework, FedScoop (Oct. 14, 2014, 5:23 PM), http://fedscoop.com/tech-firms-associations-lead-response-to-cybersecurity-framework/.

[5] See Framework for Improving Critical Infrastructure Cybersecurity, supra note 1.

[6] Gautham Nagesh & Danny Yadron, Obama Administration Releases Voluntary Cybersecurity Rules for Critical Infrastructure, Wall St. J., Feb. 12, 2014, available at http://online.wsj.com/news/articles/SB10001424052702304888404579379033086677294?mod=_newsreel_2.

[7] National Institute of Standards and Technology, NIST Seeks Info on User Experiences with Cybersecurity Framework (Aug. 22, 2014), http://www.nist.gov/itl/csd/20140822_framework.cfm.

[8] National Institute of Standards and Technology, RFI- Framework for Reducing Cyber Risks to Critical Infrastructure, Comments Received in Response To: Federal Register Notice Developing a Framework To Improve Critical Infrastructure Cybersecurity (Oct. 16, 2014), http://csrc.nist.gov/cyberframework/rfi_comments_10_2014.html.

[9] Sempra Energy, Sempra Energy Utilities Response NIST RIF- Experience With the Framework For Improving Critical Infrastructure Cybersecurity 1-2 (Oct. 9, 2014), http://csrc.nist.gov/cyberframework/rfi_comment_october_2014/20141009_sempraenergy_chavez.pdf.

[10] Department of Energy, Response to National Institute of Standards and Technology Request for Information “Experience with the Framework for Improving Critical Infrastructure Cybersecurity” 5 (Oct. 10, 2014), http://csrc.nist.gov/cyberframework/rfi_comment_october_2014/20141008_doe.pdf.

[11] RFI- Framework for Reducing Cyber Risks to Critical Infrastructure, supra note 8.