Are the NERC CIPs a roadmap for attacking the electric grid?

Feb. 25, 2011

The NERC CIPs have a number of characteristics that make them a roadmap for attacking the electric grid.

The NERC CIPs have a number of characteristics that make them a roadmap for attacking the electric grid.

- They were developed by the NERC consensus process. The process is long, arduous, and inherently a “low bar”. As such, the process results in trying to make it easier on the “attackee” than trying to make it more difficult on the attacker.
- The CIPS are public and can be easily found on the Internet. Not only are the CIPs available, but so are the discussions behind the development of the CIPs. This is no different than other open standards processes.
- The CIPS are applied “uniformly” across all electric utilities in North America. What works against one can utility can work against multiple utilities.  As Mike Assante stated in his recent Senate testimony, the NERC CIPs are static and predictable. This means the CIPs cannot be responsive to newly discovered threats such as Stuxnet. Consequently, a successful, coordinated cyber attack, especially with new threats, is very possible.
- The CIPS identify what is in scope, but more importantly what is out of scope. This defies all logic for security as a potential attacker now knows what is left unprotected. The attacker can use the unprotected asset to get at the “protected” asset. So much for securing critical assets.
- The CIPs provide a timetable for implementation. Consequently, a potential attacker knows how much time is available to develop an attack for those assets in scope. Those assets out of scope have no timetable.

What more can an attacker ask for?

What can the public ask for?
- End-to-end security of the grid – no exclusions
- Use available technology to secure control systems and develop appropriate technology where needed
- Mandate development of control system cyber security policies
- Regulate cyber security of the electric grid
- Hold executives accountable

Joe Weiss

Sponsored Recommendations

Make Effortless HMI and PLC Modifications from Anywhere

The tiny EZminiWiFi is a godsend for the plant maintenance engineers who need to make a minor modification to the HMI program or, for that matter, the PLC program. It's very easy...

The Benefits of Using American-Made Automation Products

Discover the benefits of American-made automation products, including stable pricing, faster delivery, and innovative features tailored to real-world applications. With superior...

50 Years of Automation Innovation and What to Expect Next

Over the past 50 years, the automation technology landscape has changed dramatically, but many of the underlying industry needs remain unchanged. To learn more about what’s changed...

Manufacturing Marvels Highlights Why EZAutomation Is a Force to Be Reckoned With

Watch EZAutomation's recent feature on the popular FOX Network series "Manufacturing Marvels" and discover what makes them a force to be reckoned with in industrial automation...