a1 Environmental Law Center, Institute for Energy and Environment, University of Vermont Law School, South Royalton, Vermont
The electric industry is experiencing notable changes with the implementation of communication and automation technology, many of which are part of the smart grid movement. Similar to other critical infrastructure industries such as banking, transportation, and the cross-sector critical information infrastructure industry, the electric industry must protect itself from intentional and unintentional security breaches and incidents to ensure uninterrupted operations of essential services. Of the critical infrastructure industries, the electric industry is the only private-sector industry subject to government-enforced mandatory cybersecurity standards. This article presents an overview of the eight mandatory cybersecurity standards by the North American Electric Reliability Corporation. As an example of how standards are evolving, it discusses CIP-002 (Critical Cyber Asset Identification) in depth because it establishes whether the remaining seven standards apply. This article then compares the North American Electric Reliability Corporation regulatory framework against critical information infrastructure goals. The comparison finds that, at least on a basic level, the electric industry's mandatory cybersecurity standards meet the critical information infrastructure goals and work to secure information networks, resources, and systems from cyber and physical threats. The mandatory cybersecurity standards promote an increase in technological products, better security management, personnel and public education, and trust in the industry. Even though the electric industry's mandatory standards are imperfect, the fact it satisfies the goals of the cross-sector critical information infrastructure indicates that the framework is sound. The electric industry's experience with mandatory cybersecurity standards is a valuable source of information, and the regulatory framework itself can be a helpful model for other industries looking to develop their own security protection systems.
Environmental Practice 13:250–264 (2011)
(Received May 25 2010)
(Revised November 11 2011)
(Accepted November 25 2011)
(Online publication September 14 2011)
c1 Zhen Zhang, Environmental Law Center, Institute for Energy and the Environment, Vermont Law School, 164 Chelsea Street, PO Box 96, South Royalton, VT 05068; (phone) 802-831-1151; (fax) 802-831-1140; (e-mail) firstname.lastname@example.org
Zhen Zhang is an attorney specializing in energy and environmental law and a Global Energy Fellow at the Institute for Energy and Environment at Vermont Law School. Zhen received her BS in environmental policy at the University of Michigan and her JD at the University of Maryland.