Electric System Cyber Security Terms

Yesterday I noted that today the Senate Energy and Natural Resources Committee would be holding a hearing today to look at a ‘discussion draft’ of possible legislation that would address cyber security issues for the bulk-power system and electric infrastructure. I explained that I was covering this issue because of potential carryover from any control system rules in that legislation to other industrial control system legislation proposed in the future.

I have now had a chance to review the discussion draft that will be considered today, and I am less sure that this draft bill being discussed will have significant impact on any future ICS cyber security legislation that would impact chemical facilities.

The only real exception is some of the definitions included in §224(a). Two of the terms of significance outside of the electrical power community are ‘cyber security threat’ and ‘cyber security vulnerability.

“The term ‘cyber security threat’ means the imminent danger of an act that disrupts, attempts to disrupt, or poses a significant risk of disrupting the operation of programmable electronic devices or communications net works (including hardware, software, and data) essential to the reliable operation of critical electric infrastructure.” §224(a)(4)

“The term ‘cyber security vulnerability’ means a weakness or flaw in the design or operation of any programmable electronic device or communication network that exposes critical electric infrastructure to a cyber security threat.” §224(a)(5)

In both definitions I think that simply removing the word ‘electric’ from the term ‘critical electric infrastructure’ would make both of these terms apply to any industrial control system that the Federal government would have interest in regulating.