Two U.S. senators are calling for a federal investigation of the power grid's potential cybersecurity vulnerabilities after a CNET article last month raised security concerns.
The request for a probe comes from Sens. Joseph Lieberman (I-CT), the chairman of the Senate Homeland Security Committee, and Susan Collins (R-ME), the panel's senior Republican, who warned that lapses "could undermine part of the security system protecting our grid."
They sent a letter yesterday to the Federal Energy Regulatory Commission asking for an "expeditious comprehensive investigation into these allegations," which deal with digital signatures the industry uses for authentication.
A FERC spokesman responded to a request for comment this afternoon by saying: "We don't comment publicly on letters from members of Congress. The commission will respond to the senators in due course."
Jesse Hurley, co-chair of the North American Energy Standards Board's Critical Infrastructure Committee, told CNET last month that the mechanism for creating digital signatures is insufficiently secure because not enough is being done to verify identities and some companies are attempting to weaken standards to fit their business models.
"These certificates protect access to control systems," Hurley said. "They protect access to a $400 billion market. They protect access to trading systems. They also protect access to machines that do things like turn generators off. If you issue a fraudulent certificate or you're lax... the consequences could be disastrous." The U.S. electrical grid has already become a target of cyberattacks, with Chinese and Russian hackers reportedly penetrating it over the Internet.
Rekeying the exterior locks on your house every so often tends to make your home more secure. That's a rough analogy to the way digital certificates work. Certificates with shorter expirations, which means they have to be re-issued after a certain period of time, tend to be more secure as well.
Although the NAESB standards body is an industry body, the federal government routinely adopts its standards as regulations, giving them the force of law. FERC has adopted the group's 2008 digital signature standard, which calls for digital signatures with a maximum lifetime of 20 years (and allows shorter expirations as well).
Two companies, Open Access Technology International (OATI) and GlobalSign, which are authorized by the NAESB to issue digital certificates to the industry, have argued on conference calls (audio file) that a 30-year expiration for digital certificates is fine. At the urging of OATI and GlobalSign, an NAESB committee approved the 30-year option last month.
The Lieberman-Collins letter says:
The allegations brought to our attention are that two Authorized Certificate Authorities have been issuing digital certificates with a 30-year lifespan - ten years greater than allowed under FERC regulations. As these certificates form the foundation for the cybersecurity of the electric grid, it is critically important that their security requirements be enforced to ensure protection against malicious actors. If these allegations are true, the violations could undermine part of the security system protecting our grid.
Digital certificates are documents that use a cryptographic signature for authentication, which can in turn be used to prove that a person is who he claims to be, or that computer code is trusted and can be executed. The Stuxnet malware used valid digital signatures issued by reputable companies, apparently tricked by the U.S. government, to bypass anti-virus applications and attack Iran's nuclear facilities.