In the September issue of Control, Jay Abshier authored the article- "Becoming NERC CIP Compliant" http://www.controlglobal.com/articles/2007/284.html. The article provides a good background and understanding of the "spirit" of the NERC CIP process. However, several points may not be self-evident.The spirit of the NERC CIP approach was to identify ALL cyber-related assets that could affect the reliability of the bulk electric grid and establish a process to mitigate identified cyber vulnerabilities from these assets. However, various exclusions were included in the final version of the NERC CIPs including telecom, electric distribution, market functions, non-routable protocols, and nuclear power plants. Each of these excluded systems have exhibited cyber vulnerabilities that could materially impact the reliability of the bulk electric grid. Additionally, the risk assessment methodology was never defined which allowed many utilities to minimize the number of critical cyber assets that would be included in the CIP-002 process. In fact, there are utilities that have determined they have NO critical cyber assets even though they have control centers, substations, and power plants with many cyber connections. This becomes important because if an asset is not deemed a critical cyber asset in CIP-002, no further cyber mitigation need be done. That is, CIP-003 through CIP-009 need not be addressed. There have been several reported and unreported cyber incidents in the electric power industry. Because of the various exclusions, the NERC CIP standards as written would not have prevented many of these events. As a result of all of the above-listed issues, FERC has issued the Notice of Public Rulemaking (NOPR) on the NERC CIP cyber security standards (the NOPR can be found on the ferc.gov website - http://www.ferc.gov/whats-new/comm-meet/2007/071907/E-4.pdf). FERC's technical and administrative concerns with the NERC CIP standards are demonstrated by their extensive list of recommendations.
FERC is requesting and encouraging public comments on the NOPR which are due October 5th. I encourage everyone to read the NOPR and submit comments while you can still make a difference.