Page 21 - index
P. 21
Key Updates to PKI Standards Better Protect Utilities Against
Cyber Attacks
by Lila Kee, Chief Product & Marketing Officer, GlobalSign, Inc., Board Member, North American Energy
Standards Board (NAESB)
GlobalSign is one of several members of the North American Energy Standards Board (NAESB), which is
reshaping how Wholesale Electric participants will use Public Key Infrastructure (PKI) to secure vital
business applications using digital certificates and associated PKI services.
In August 2011, NAESB created a new subcommittee to review and revise the Wholesale Electric
Quadrant (WEQ) standards around PKI. Although a standard for PKI, WEQ-012, had existed since 2009,
several Independent System Operators (ISOs) and other interested parties requested it be updated to
reflect today’s market needs. This action was especially important in that certificate authorities (CAs)
had increasingly become the target of cyber attacks.
As a result, a subcommittee consisting of PKI experts from commercial CAs such as GlobalSign and
industry participants including Midwest ISO, ISO New England and Tennessee Valley Authority, to name
a few, joined forces to modify the current PKI standard. Their goal was to incorporate advancements to
PKI technologies that were not available when the initial standard was released and that would equip
energy participants to better address modern-day cybersecurity threats.
Furthermore, the subcommittee recognized that cyberthreats may evolve quickly. Thus whatever
standard was updated, updating the Authorized Certificate Authorities' (ACA's) operating guidelines
required a mechanism sufficiently agile to incorporate and adopt mitigations designed to quickly
prevent and respond to hackers' rapidly changing and increasingly sophisticated methods.
The end deliverable of the PKI subcommittee resulted in a revised WEQ-012 standard for regulated
entities that manage or use applications that fall under it. The deliverable also included a mechanism
that emphasizes stronger levels of security requirements, auditability and enforceability for ACAs such
as GlobalSign to follow.
Below are key updates to the standard approved by the NAESB membership in October 2012 and
expected to be submitted to FERC for its consideration at the beginning of 2013. Adoption of the
standard will help provide the foundation for a safer cybersecurity framework that will secure the
networks operated by transmission owners, generators, independent grid operators and end users.
Creation of an accreditation specification for Certification Authorities:
The NAESB subcommittee recognized that CAs applying for NAESB Authorized Certificate Authority
status were unlikely to be regulated by the Federal Power Act and therefore would not be subject to
FERC jurisdictional authority. As a result, the subcommittee separated ACA requirements from the WEQ-
012 standard by creating a standalone ACA specification. Wholesale Electric Industry members relying
21 Cyber Warnings E-Magazine – August 2013 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
