Winning with NERC CIP and still losing

Nov. 19, 2007

You can be NERC CIP compliant, and still get fined...

 

Many utilities will be spending a significant of time and resources on NERC CIP cyber security compliance. If you're a utility, there is a possibility that you may not be spending y...

You can be NERC CIP compliant, and still get fined...

Many utilities will be spending a significant of time and resources on NERC CIP cyber security compliance. If you're a utility, there is a possibility that you may not be spending your money wisely and, worse, may have to spend it again.

In order to get a voting majority to approve the NERC CIP standards, the NERC CIP standards were developed with sufficient ambiguity and exclusions to enable a utility to minimize the number of assets to be addressed as part of the NERC CIP process. This has resulted in the number of critical cyber assets for a medium size utility being on the order of 20-50, not a more realistic number of several thousand.

For organizations that weren't involved in the CIP development process, this approach appeared to be less than adequate. Consequently, October 17, Congressional hearings were held (http://homeland.house.gov/) on "The Cyber Threat to Control Systems; Stronger Regulations are Necessary to Secure the Electric Grid". Additionally, on October 17, the House Homeland Security Committee issued a letter to the Chairman of FERC requesting an investigation of the industry response to the Aurora vulnerability (as shown on CNN). The reason for the hearings and the letter are the shortcomings of the NERC CIP standards and industry's response to the ES ISAC Advisory.

A specific example of why one would care about the cyber security of the grid occurred at a panel session at ISA in Houston in October. A NERC representative stated that if security policies were employed, whether they were appropriate or not, the utility would be NERC CIP compliant. The NERC representative went on to discuss the infamous $1 Million/day fines for not meeting reliability criteria. When asked about the hypothetical situation where a utility utilizes inappropriate policies that could impact reliability, the NERC representative stated the utility would be compliant and yet potentially fined. Consequently, it is in each of your best interests to revisit what you are trying to accomplish- game the system or secure your assets.

Sponsored Recommendations

Make Effortless HMI and PLC Modifications from Anywhere

The tiny EZminiWiFi is a godsend for the plant maintenance engineers who need to make a minor modification to the HMI program or, for that matter, the PLC program. It's very easy...

The Benefits of Using American-Made Automation Products

Discover the benefits of American-made automation products, including stable pricing, faster delivery, and innovative features tailored to real-world applications. With superior...

50 Years of Automation Innovation and What to Expect Next

Over the past 50 years, the automation technology landscape has changed dramatically, but many of the underlying industry needs remain unchanged. To learn more about what’s changed...

Manufacturing Marvels Highlights Why EZAutomation Is a Force to Be Reckoned With

Watch EZAutomation's recent feature on the popular FOX Network series "Manufacturing Marvels" and discover what makes them a force to be reckoned with in industrial automation...