U.S. utilities need industry group focused on cyber defense: report

WASHINGTON (Reuters) – U.S. utilities would benefit from an independent group to set industry-wide guidelines on combating cyber threats, according to a think-tank report released on Friday that was co-authored by a former director of the Central Intelligence Agency.

The report, from the Bipartisan Policy Center, said a new independent organization could bring together the disparate interests in the sector to help manage cybersecurity for the nation’s electric grid, and help to deal with threats such as new malware that could be targeted at plants’ information technology systems.

“We don’t have one group looking at this holistically to see what the answers are,” said Curt Hebert, a co-author of the report who is a former chairman of the Federal Energy Regulatory Commission, the agency which oversees aspects of the nation’s elecric grid.

The other authors of the report were Michael Hayden, director of the CIA under President George W. Bush, and Susan Tierney, former assistant secretary at the Energy Department under President Bill Clinton.

The report suggested that a new entity be modeled after the nuclear industry’s Institute of Nuclear Power Operations, INPO was established by nuclear companies in 1979 following the recommendations of a presidential commission after the Three Mile Island nuclear plant accident.

The industry-funded institute conducts regular evaluations of nuclear plants, establishes performance objectives and helps train nuclear plant employees.

In addition to identifying best practices regarding cybersecurity, the industry body proposed by the report would also analyze cyber incidents as they happen and offer technical assistance.

The proposal faces some push back from the Edison Electric Institute, a trade group representing investor-owned electric companies. The group raised concerns about whether the industry needs another organization weighing in on security matters.

Scott Aaronson, senior director of national security policy at EEI, said the functions described in the report could be carried out by existing organizations.

Hebert said he anticipated the proposal would draw some resistance in the sector, which is already regulated by entities such as FERC and the North American Electric Reliability Corporation (NERC).

He stressed that the proposed group was intended to complement NERC, which develops and enforces reliability standards for the bulk power system.

An official with NERC told Reuters in 2013 that although hackers had used computer viruses to spy on electric plants and steal documents, NERC members had yet to find malicious software in their networks that was capable of causing physical damage to a plant.

(Reporting by Ayesha Rascoe; editing by Ros Krasny and Leslie Adler)