Federal regulators charged with overseeing the reliability of the electrical grid expressed concerns about proposed cybersecurity standards and warned that existing law may not protect "against fast-moving cybersecurity threats."
Yesterday's statement from the Federal Energy Regulatory Commission came in a response to pointed questions from two senators, Joseph Lieberman (I-CT), the chairman of the Senate Homeland Security Committee, and Susan Collins (R-ME), the panel's senior Republican. The senators made their inquiries in July, a few weeks after CNET published an article on the topic.
Lieberman and Collins had asked for an "expeditious comprehensive investigation" into allegations that industry standards for digital signatures -- used for authentication, including access to control systems -- were insufficient.
FERC said that the industry's plans to allow 20-year expiration on digital certificates, even though shorter periods are more secure, is worrisome. "The commission is concerned that this time period may present an unacceptable risk of compromise... Such long life spans increase the likelihood of a user's keys or certificates being compromised," it said.
Complicating the situation is that FERC has deferred to an industry standards-setting body, called the North American Energy Standards Board, to act in this area. Although the board is a private organization, FERC has routinely adopted its standards as regulations, giving them the force of law, including the board's 2008 digital signature policy.
Because the standards board is revising its digital certificate standards, "further action by the commission does not appear necessary at this time," FERC concluded. It also said that the "commission does not have jurisdiction" over either the standards board or the certification authorities that issue keys used in digital signatures.
Digital certificates are documents that use a cryptographic signature for authentication, which can in turn be used to prove that a person is who he claims to be, or that computer code is trusted and can be executed. The Stuxnet malware used valid digital signatures issued by reputable companies to bypass anti-virus applications and attack Iran's nuclear facilities. (Because even carefully designed algorithms may have flaws that will be discovered over time, as happened with the MD5 algorithm in 1995 and the SHA-1 algorithm in 2005, certificates are generally more secure if they expire more quickly, forcing updates.)
FERC added that its current authority "to enforce compliance with those standards is not adequate to address imminent cyber or other national security threats to the reliability of our transmission and power system," but declined to endorse any specific legislation.
Nevertheless, that could give a boost to Lieberman's bill, which would give the U.S. government additional authority to regulate cybersecurity practices for critical infrastructure, or related legislation such as the so-called GRID Act. Lieberman's Cybersecurity Act of 2012 was blocked by Republicans earlier this month; they favor a competing GOP-backed measure.
Jesse Hurley, co-chair of the North American Energy Standards Board's Critical Infrastructure Committee, told CNET in June that the mechanism for creating digital signatures is insufficiently secure because not enough is being done to verify identities.
While FERC agreed with him that 20-year expirations are too long, it concluded that Hurley did not "provide specific evidence to support the allegations" about poor identity verification. He told CNET this morning that "it's clear that (FERC is) trying to punt to Congress and bolster their request for more authority."
Two companies, Open Access Technology International (OATI) and GlobalSign, which are authorized by the NAESB to issue digital certificates to the industry, argue that a 30-year expiration for digital certificates is fine.
"OATI doesn't see a problem with 30 years from a security standpoint," Patrick Tronnier, OATI's principal security architect, said on a NAESB conference call (audio file) on May 31. Tronnier responded to complaints about weakened security by saying it would cause too much "disruption" to choose a shorter period.