IPrior to the President’s State of the Union Address, President Obama signed an Executive Order on cybersecurity. This has  important implications for the electric power industry and is a wakeup call for utilties that have not yet developed or updated their cybersecurity policy.

Michael Daniel, Special Assistant to the President and Cybersecurity Coordinator, on the White House Blog, hs given an overview of the Executive Order including the motivation for it and its key provisions.

According to Mr Daniel, the government’s senior-most civilian, military, and intelligence professionals all agree that inadequate cybersecurity within the nation’s 18 critical infrastructure areas poses a threat to the security of the United States.  Because of the seriousness of the threats, the President issued an Executive Order directing federal departments and agencies to use their existing authorities to provide better cybersecurity for the Nation.  The Administration received input from a broad range of stakeholders in industry, the public sector, the legislative branch, and the advocacy community including over 30 organizations representing all 18 critical infrastructure sectors.

The Executive Order focusses on the three areas, information sharing, a framework of core security practices based on existing standards, and privacy protections.

Information sharing

The Order makes it is a national priority to increase the cyber threat information shared with authorized individuals and companies.  In particular, it aims to improve information sharing between the private sector and all levels of government.  It expands the Department of Homeland Security’s (DHS) Enhanced Cybersecurity Services program to provide near real-time sharing of information on cyber threats with critical infrastructure companies and state and local governments.

Cybersecurity framework

The Executive Order directs the National Institute of Standards and Technology (NIST) to lead the development of a framework to reduce cyber risks to critical infrastructure. NIST is directed tol work with industry to identify existing voluntary consensus standards and industry best practices to incorporate into the framework.  The Order puts private-sector cyber leaders in critical infrastructure sectors at the core of  the development of voluntary best practices for the framework.  The DHS
Secretary is directed tol establish a voluntary
program to support the adoption of the Cybersecurity Framework by
owners and operators of critical infrastructure.  This has direct and immediate implications for utilities.

Privacy

The Executive Order directs departments and agencies to incorporate privacy and civil liberties protections into cybersecurity activities based upon widely-accepted Fair Information Practice Principles as well as other applicable privacy polices.