(Approved by the IEEE-USA
Board of Directors, 16 Nov. 2000)

Policies related to electric restructuring can create and have created significant financial incentives for malicious intrusion into computers and communications systems of electric power industry and marketplace participants. In addition, the complexity of the interconnected power grid and its dependence on automation and information systems make it vulnerable to malicious intrusion by cyberterrorists, disgruntled employees, hobbyists and a range of other perpetrators. Protecting against these intrusions and detecting them if they occur will require coordinated actions by:

• Electric power system owners and operators

• Electric power market exchanges, regulators, and participants

• Futures market exchanges, regulators, and participants, and

• Federal and state law enforcement agencies.

These coordinated actions should be based on the following principles:

1. Mandating that all participants in the electric power industry and associated marketplaces establish and maintain policies and programs for protection of their computer and communications systems. Such policies and programs should conform to industry best practices. They should be mandated by Federal and state regulators, self-regulating exchanges and other oversight organizations within their relevant areas of oversight.
2. Coordinating the computer and communications security efforts with reliability efforts that analyze power system disturbances and related marketplace events. Analysis of disturbances and events should include review of relevant computer and communications intrusion detection records.
3. For cases in which the financial target of an attack is not the same entity as the owner of the computer or communications system, providing contractual or regulatory mechanisms under which the system owner would be responsible for providing security protection for information and capabilities of critical importance to others.
4. Establishing guidelines for coordination of the individual computer and communications security programs by appropriate private or public/private entities.
5. Adjusting existing anti-trust and securities market surveillance rules so that restructured electric power markets are provided protection comparable to what is provided to prevent insider trading in securities markets. Such surveillance should be coordinated with the computer and communications security programs to facilitate identification of suspicious situations in which unusual profits are correlated with computer intrusion.
6. Taking action to remove from the electric power marketplace the direct, serious information security threat to all critical infrastructure posed by the so-called "self help" provisions of the Uniform Computer Information Transactions Act (UCITA). The threat arises from inclusion in software of features or provisions supporting or enabling the exercise of self help (remote intrusion and disablement), or preventing successful recovery from this form of denial-of-service attack. The threat is posed by the software features themselves and applies even if the particular contract under which the software is obtained does not allow the use of self help.
7. Taking appropriate actions to mitigate the other harmful effects of UCITA on information security.

This statement was developed by the Energy Policy Committee and the Committee on Communications Policy of The Institute of Electrical and Electronics Engineers-United States of America (IEEE-USA) and represents the considered judgment of a group of U.S. IEEE members with expertise in the subject field. IEEE-USA promotes the careers and public-policy interests of the nearly 230,000 electrical, electronics, computer and software engineers who are U.S. members of the IEEE.

BACKGROUND

As part of its response to the blackouts, energy crises, and environmental concerns over the past 40 years, the electric power system has become highly dependent on sophisticated computer and communications systems. Electric power is consumed at the instant it is produced and the computer and communications systems serve to ensure that the production and consumption are instantaneously balanced, that the system is being operated as reliably and efficiently as possible, and that the relevant accounting, maintenance and business operations are appropriately supported.

The electric power restructuring is replacing vertically-integrated, regulated, territorial electric power monopolies by a complex structure of competitive generation and regulated transmission and distribution entities. Competitive generation is giving rise to a wide range of new market structures, electric-power-related financial products, and associated computer and communications systems. Information that was once freely and cooperatively exchanged has now become highly proprietary and competitively sensitive. To level the market playing level, regulations have been imposed to prevent certain flows of information. In addition, the electric power marketplace has become highly volatile, with prices occasionally spiking from around $30 per megawatt-hour to as much as $7500 or more per megawatt hour.

When fully restructured, the aggregate market for electric power and its financial derivatives can be estimated at roughly a half trillion dollars. However, unlike other commodities, the physical characteristics of electric power result in an overall market that is actually a collection of regional markets sensitive to localized events. The size and structure of the market and its dependence on the sophisticated flow of competitively-sensitive information creates a huge financial incentive for unscrupulous perpetrators to profit through computer intrusion. The intrusions can take four forms:

1. Eavesdropping intrusions to discover proprietary data and gain advance information on impending events (such as those that would cause price spikes) before they become known to the marketplace. This threat can not be obviated by creating market rules that provide for early announcement of potential market impacting events because there would still be incentives for learning of the events prior to the marketplace announcement. Also, "traffic analysis" methods allow information to be gleaned by eavesdropping on communications links even if the links are encrypted.
2. Intrusion to damage equipment and cause market impacting events due to forced outage.
3. Denial-of-service attacks to disrupt marketplace mechanisms and interfere with the timely flow of marketplace information.
4. Other intrusions to gain competitive information or to disrupt the operations of a competitor.

In all four cases the means of profiting from the intrusions would depend on the nature of the system attacked, the nature of the information or equipment accessed, and the duration of any market effects. Profits from long effects in the bulk power market could be gained in the futures market, where it is possible to operate with relative anonymity. Profits from short duration events in the bulk power market would be gained through power trading and the associated methods of compensating traders. Profits from intrusion on distribution-related systems might be gained by reducing costs of competitive marketing (such as by capturing customer use profiles).

The Uniform Computer Information Transactions Act (UCITA) includes numerous provisions that are harmful to information security and critical infrastructure protection. UCITA takes effect October 1, 2000 in Maryland, and July 1, 2001 in Virginia, and is being considered by other states and the District of Columbia. It can be made effective everywhere through the operation of "choice of law" provisions, except in Iowa where its effect is blocked for one year.

Examples of the provisions of UCITA that harm infrastructure protection, include (1) allowing large software publishers and on-line services to escape liability for security-related software defects, even if both the defect and its potential consequences are known by the publisher and are undisclosed to purchasers; (2) allowing software publishers to contractually enforce (or place high legal barriers to escaping) non-negotiable prohibitions on licensees publicly criticizing the security performance of their software or exchanging information on such performance; (3) permitting software publishers to contractually enforce non-negotiable prohibitions on reverse engineering for any purpose, including security-related purposes explicitly permitted under Federal copyright law; and (4) creating incentives for software publishers to deliberately embed security faults in their software intended for use in unilaterally enforcing contract provisions by means of information security attack ("self-help") and to incorporate features in their software preventing recovery from self-help attacks. UCITA also allows software publishers to escape liability to third parties harmed by misoperation or malicious misuse (e.g., by intruders) of the self-help capabilities in their software.

Any proprietary software having a license subject to the law of a state that has enacted UCITA should be treated as a potential source of serious security vulnerabilities, unless explicit actions are taken to exclude them. A security vulnerability in any part of an enterprise can become the entry point for malicious intrusion on other parts of the enterprise.

The Institute of Electrical and Electronics Engineers, Inc.--United States of America
1828 L Street, N.W., Suite 1202
Washington, DC 20036-5104
Phone: 202-785-0017, Fax: 202-785-0835.

| Top of Page | Position Statements | Policy Forum | IEEE-USA |

Last Update:  21 Nov. 2000
Staff Contact: Bill Williams, bill.williams@ieee.org