An article on SecurityFocus discusses the issues with the North American power grid and its susceptability to a cyber attack. After a major blackout took out electricity to 30 million people in 1965 NERC (North American Electrical Reliability), a non-profit group, was formed to guarantee that it didn't happen again.

The government has proposed imposing security standards, but NERC stepped in hoping to keep the mandatory standards in the family and keep the government out of it.

"They've added requirements for compliance monitoring, with sanctions for noncompliance."
That worries Kenneth Hooper, a protection engineer at NB Power, an electric company serving the Canadian province of New Brunswick. He says mandatory continent-wide security measures are too blunt an instrument for the job.
Full Article: Sparks over Power Grid Cybersecurity

I don't personally feel that the government should impose *mandatory* standards, but you have to start somewhere. This is an industry self-regulating rather than having the government step in, but its close to the same.

I don't think its unreasonable though for this organization or the government to establish mandatory minimum baselines. If not them, then who? Someone has to set the baseline and establish a standard by which to measure others. If an electrical company failed to execute minimum reasonable security precautions and caused a portion of the power grid to crash I think they should be held accountable.

I am not 100% decided, but I tend to lean toward corporations and ISP's being held accountable for not taking basic security precautions if their networks end up propagating the next Nimda or such. The question is- who gets to decide what the minimum reasonable requirements are??? Who will pay the costs to bring things up to the minimum baseline? Who will police the world and impose the penalties?

Thoughts?