Hackers and the US Power grid

Robert Stratton bob at stratton.net
Mon Nov 12 11:34:23 CST 2012

On Nov 10, 2012, at 12:05 AM, Andre Kesteloot wrote:

> One of the problems seems to be that the power-generating companies in the US  are not Government-owned (as they are in France, or England, or Russia, etc), and therefore are not easily controlled by the USG.  In other words it is not evident that the USG can force them to have stricter security, as this would involve additional expenses.

It's even more interesting in the nuclear context. I have some friends at a security consultancy who essentially drafted the NRC's entire cybersecurity policy document for power plants. 

The plant operators have two distinct but overlapping sets of policies to follow. To oversimplify, the NRC mostly cares about whether the plant kills people and not as much about whether it generates electricity, while the NERC's priorities are the inverse. The plant operator gets both sets and has to follow them both. 

The one saving grace is that the NRC's are performance-based, so the government doesn't get to dictate specific (and probably automatically obsolete) technical implementation details. 

--Bob S.

More information about the Tacos mailing list