Feds: Further Action On PKI Standards Not Necessary At This Time
In a report released yesterday, the Federal Energy Regulatory Commission (FERC) concluded that it does not need to take further actions on the PKI standards in use by the U.S. electrical grid.
At issue the length of time a certificate authority is allowed; currently there is a 20-year expiration on digital certificates, however, security experts are advocating shorter durations. Earlier this summer the two senators asked for an investigation. The FERC report is the result of that. FERC uses the standards adopted by the North American Energy Standards Board (NAESB), which is industry-based and has indicated it is evolving new standards--hence FERC's reluctance to act. There is also pending legislation in Congress which might also address this.
FERC concludes: "Our report today does not advocate for or against new specific cybersecurity legislation, nor do we advocate that the Commission or any particular agency should be given authority to address imminent cybersecurity threats. These are choices for Congress. However, absent new legislation to address the issue, it is clear that the responsibility for any imminent actions to protect the grid remains primarily with the utilities themselves. We will support their efforts to the full extent of our authority, including requiring and approving new standards when appropriate."