If you're already registered or are a Con Edison employee, please log in. If not, please register.


PLEASE NOTE: Con Edison employees do not need to complete the full registration. You can login with your employee email address.

Issues

White House Cybersecurity Directive

On February 13, 2013, the White House unveiled President Obama’s Executive Order, “Improving Critical Infrastructure Cybersecurity”.

The Executive Order is designed to create a framework which encourages companies that own critical assets, such as power generation and distribution, to improve their security systems and procedures voluntarily.

The Executive Order aims to accomplish the following:

  • Increase sharing of timely threat information, digital signatures and reports between the Department of Homeland Security (DHS) and willing companies, including the issuance of security clearances to critical infrastructure operators.
  • Expand the Department of Defense Enhanced Cybersecurity Initiative that shares threat and protection information with defense contractors to include key infrastructure companies.
  • Create a new Critical Infrastructure Partnership Advisory Council through which DHS would help coordinate cybersecurity upgrades for critical infrastructure.
  • National Institute of Standards and Technologies (NIST) will monitor the development of a “cybersecurity framework” to reduce cyber risks to critical infrastructure. DHS would then work with specific federal agencies to persuade companies to become involved and upgrade their systems.

NIST has issued a Request for Information (RFI), which can be read here.  The RFI asks organizations to share their current risk management practice, use of frameworks, standards, guidelines and best practices and other industry practices. NIST is also holding workshops to collect additional input and will complete the framework within one year.

Key Executive Order deadlines include:

• June 12, 2013
  – The Attorney General, the Secretary and the Director of National Intelligence shall establish a process for timely dissemination of unclassified and classified reports to critical infrastructure entities.
  – The Secretary in collaboration with the Secretary of Defense shall expand the voluntary Enhanced Cybersecurity Services information sharing program to all critical infrastructure.
  – The Secretary and the Secretaries of Treasury and Commerce each are required to provide the President with separate recommendations on incentives:  including which ones could be implemented under existing law and which ones require legislation.
  – The Secretary of Defense and the Administrator of General Services Administration (GSA), in consultation with the Secretary and the Federal Acquisition Regulatory Council, and using the consultation process set forth in the Executive Order, must provide the President with recommendations on incorporating cybersecurity standards into acquisition planning and contract administration and how to harmonize these changes with existing procurement regulations.

• July 12, 2013
   – The Secretary shall identify critical infrastructure where a cybersecurity incident could have a catastrophic effect.

• October 12, 2013
  – The Director of NIST shall publish a preliminary version of the Framework.

• February 12, 2014
  – The Director of NIST shall publish the final version of the Framework.

• May 13, 2014 
  – If current cybersecurity regulatory requirements are insufficient, agencies that regulate critical infrastructure security shall propose requirements to mitigate cyber risk.

The full Executive Order can be found here.

« Back to Federal Issues

Next Issue »