Federal regulators charged with overseeing the reliability of the electrical grid expressed concerns about proposed cybersecurity standards and warned that existing law may not protect "against fast-moving cybersecurity threats." Read More ..
Yesterday's statement from the Federal Energy Regulatory Commission came in a response to pointed questions from two senators, Joseph Lieberman (I-CT), the chairman of the Senate Homeland Security Committee, and Susan Collins (R-ME), the panel's senior Republican. The senators made their inquiries in July, a few weeks after CNET published an article on the topic.
Lieberman and Collins had asked for an "expeditious comprehensive investigation" into allegations that industry standards for digital signatures -- used for authentication, including access to control systems -- were insufficient.
FERC said that the industry's plans to allow 20-year expiration on digital certificates, even though shorter periods are more secure, is worrisome. "The commission is concerned that this time period may present an unacceptable risk of compromise... Such long life spans increase the likelihood of a user's keys or certificates being compromised," it said.
Complicating the situation is that FERC has deferred to an industry standards-setting body, called the North American Energy Standards Board, to act in this area. Although the board is a private organization, FERC has routinely adopted its standards as regulations, giving them the force of law, including the board's 2008 digital signature policy.
Because the standards board is revising its digital certificate standards, "further action by the commission does not appear necessary at this time," FERC concluded. It also said that the "commission does not have jurisdiction" over either the standards board or the certification authorities that issue keys used in digital signatures.