Two senators recently sent a letter to the Federal Energy Regulatory Commission (FERC) requesting the agency initiate an investigation into the failure of Authorized Certification Authorities to issue certificates that comply with the commission's requirements.
The letter was drafted by Homeland Security and Governmental Affairs Committee Chairman Joe Lieberman and Ranking Member Susan Collins last Tuesday, and centered around concerns regarding authentication protocols that could leave the nation's electric grid vulnerable.
"Recently, allegations were brought to our attention that two Authorized Certification Authorities (ACAs) may be failing to meet cybersecurity requirements. ACAs are responsible for issuing digital certificates – certificates that allow trusted parties to enter the electric grid’s cyber business systems. Such certificates are vitally important to establishing trust in the communications between devices and other power companies. Once certificates are compromised, attackers can have a 'skeleton key' to circumvent security measures and access a wide variety of systems on the electric grid," the letter states.
The standards the ACA's are to adhere to were developed by the North American Energy Standards Board (NAESB), an independent energy sector advisory group, which were subsequently adopted into FERC regulatory standards.
They require that certificates be issued with a maximum twenty year validity term, and the senators became concerned after reports surfaced that the ACAs were not complying with the regulation.
"The allegations brought to our attention are that two Authorized Certificate Authorities have been issuing digital certificates with a 30-year lifespan – ten years greater than allowed under FERC regulations. As these certificates form the foundation for the cybersecurity of the electric grid, it is critically important that their security requirements be enforced to ensure protection against malicious actors. If these allegations are true, the violations could undermine part of the security system protecting our grid," the Senators contended.
"Given the ever-increasing threat of catastrophic cyber attacks to our nation’s most critical infrastructure, we request that you conduct an expeditious comprehensive investigation into these allegations and provide our staff with detailed information on your findings and any actions FERC will take in response to such findings," the letter continued.
Cnet reports that the agency issued a cursory statement regarding the senators' request: "We don't comment publicly on letters from members of Congress. The commission will respond to the senators in due course."
Cnet had originally broke the story of the certificate compliance issue last month in an interview with NAESB co-chair Jesse Hurley, who warned that "these certificates protect access to control systems. They protect access to a $400 billion market. They protect access to trading systems. They also protect access to machines that do things like turn generators off. If you issue a fraudulent certificate or you're lax... the consequences could be disastrous."
The report points out that the successful Stuxnet attacks against Iranian systems used fraudulently obtained digital certificates to gain access to the compromised networks.