Keeping the Lights On: An Interview with Lou Leffler of the NAERC

by rthieme on August 27, 2001

Interview with Lou Leffler, Program Director, NAERC (North American Electric Reliability Council)

Interviewed by Richard Thieme

This is the transcript of the original interview which was not included by Information Security Magazine as a sidebar to the interview with Ron Dick. I think Leffler’s insights are worth noting so the transcript is presented here. Whatever was kept by Information Security Magazine is copyright Information Security Magazine 2001 and whatever was left over is copyright Richard Thieme 2003.

Leffler: We have a very good relationship with the NIPC. We’ve been working with them for a little more than two years and have established with them – and I emphasize WITH them – an ISAC (Information Sharing and Analysis Center) that is unique, I think, in that we can reach out with the NIPC to our NAERC constituents which are basically all of the entities that touch electricity – everyone concerned with generation, transmission, distribution, sales, purchasing of electricity in the US, Canada and a little bit with Mexico. We have an excellent means in place for those constituents to reach out to NEARC or the NIPC with questions or reports. Likewise the NIPC can reach out to them directly or through us.

RT: What is the unique contribution created by the partnership you have with the NIPC?

Leffler: Understand that we are learning and growing as we build this. The NIPC with their knowledge of other sectors and what we tell them about our sector can package a warning product of use to members of our sector. Now, in the distant past, we used to get warning messages from the DOE, for example, saying that “there may be something happening at some time in the future at some station on the East Coast.” What can you do with that? They are working hard to package a warning product that is actionable, and actionable is the key word. Our industry has enabled two or three different methods of communicating with the NIPC about incidents. They are very receptive to our questions. The uniqueness is that we can reach out to anyone in this industry so that if something is going on electricity-related we can work with the NIPC to say what it really means in language our industry specialists understand so they can take action.

The relationship is very good. We have a working group in our industry and their people are at every meeting and they have been very supportive.

RT: How good are the warning products?

Leffler: There are two points to be made. One, not that much has happened. We get  a report from the NIPC daily and disseminate it to the industry – patches, alerts, and the like. We also have a means for communicating through secure or insecure facilities with them if something is happening. There has only been one case where that has happened and we dealt with it. We got a call a few months ago asking, what does this mean? and a few telephone calls told me what it meant and I passed that along. I am hopeful it would work just as well if there were a dire emergency, which we have not had yet.

It is not easy for the government to take information from the intelligence community and distribute it to the industry. Richard Clarke would be the first to say this. We’re working on creating a means to do that so we can get information out, so if I get a warning notice and tell a utility you have to do this, they would do it, but as Clarke admits, we have a ways to go in learning how to declassify information so it can be more easily and more quickly disseminated.

RT: How vulnerable is the industry in your view?

Leffler: There may be vulnerabilities, the kinds of things we must be vigilant about. We know there are things out there, and we’re not in the business of giving away blueprints, but I do know this: if you have a telecommunications circuit that in any way is connected to your control system that leaves your secure area, it’s vulnerable. And even if it doesn’t leave the premises, it’s vulnerable because of the insider threat. So it’s a matter of constant vigilance. We are just getting our feet wet as to social engineering, someone coming up and starting an innocent conversation. How do bad things happen? They happen because insiders want to launch desperate threats launch or they don’t understand the system or they don’t change passwords or do other stupid things.

RT: What about ramping up the level of security in the human sector so it equals that in the network sector?

Leffler: That’s a tough one. We live in a society that cherishes its openness or humaneness, and you hire some perfectly fine young man or woman, and how do you know they are not going to do something? Do you background check everybody? Some say yes, everybody. I don’t know what the answer is. It’s a changing environment. We need to make sure that our industry is aware of these things. But you won’t get anything done until the top management is willing to listen and take the time to understand.

{ 0 comments… add one now }

Leave a Comment

Previous post:

Next post: