The new standards will require energy companies to identify and document risks and vulnerabilities, and establish controls to secure critical assets from sabotage.

They also mandate that energy companies report "security incidents" and set up emergency recovery plans, according to the North American Electric Reliability Corp. NERC, which ensures reliability of the bulk power system, proposed the standards.

Energy industry watchers approved the move.

"They're the most comprehensive operations technology governance for the industry that's available," said Bradley Williams, an analyst with IT researcher Gartner.

NERC and FERC have told utilities that they must improve cybersecurity, he said. "This is good for the industry. We have seen that the operations technologies have not kept up with the governance required around these complex IT systems," Williams said.

Utilities will have to come up with plenty of cash to do what NERC asks. "It's a major investment required for many of the large utilities to comply," Williams said. Funds will go to backup recovery systems, test environments, monitoring and compliance, he said.

Enhanced security measures are necessary because the cyber terrorism threat is real, said Central Intelligence Agency analyst Tom Donohue, who spoke at a security conference on Jan. 16 in New Orleans. Attacks on utilities outside the U.S. have already occurred, he said in his remarks to the security summit.

"We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands," Donohue said.

Attacks were most likely executed with inside help. In one instance, attackers successfully targeted more than one city.

"We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge. In at least one case, the disruption caused a power outage affecting multiple cities," Donohue said.

The attackers, who remain unknown, worked through the Internet. "We do not know who executed these attacks or why, but all involved intrusions through the Internet," he said.

The new standards, which require compliance by 2010, will become mandatory in March. They require policies, plans, and procedures in eight areas: