Compliance and security - they are not the same

I thought it would be important to put in context why Walt Boyes asked the question about security and compliance. I am currently working with a utility that had a NERC CIP assessment performed by a very credible consulting organization. What the utility really wanted to know was how secure/vulnerable their systems were. The utility assumed that NERC compliance meant their systems were secure. The purpose for establishing the NERC CIPs was to secure the critical electric industry operational assets so as to maintain electric reliability. Consequently, meeting NERC CIP standards should not impact the reliability of the bulk electric grid. Compliance is assuring that the NERC CIP requirements have been met. This has led people to logically assume being NERC CIP compliant means your assets are secure. Unfortunately, the logic is right, but the process is wrong. The NERC CIPs are a programmatic set of standards that may or may not be relevant to actually securing assets. For example, you can be NERC CIP compliant while excluding telecom, all distribution, non-routable protocols (even though they may make up 75-80% of the utility’s control system communications), and even all generation and substations if your “risk assessment” defines them not to be “critical”. Because the NERC CIPs are so ambiguous, many utilities are concerned about the possibility of fines and therefore are doing what they can to minimize their exposure to the NERC CIPs. This has led some power plants to no longer provide black start capabilities and many utilities to “unplug” their IP connections just to avoid meeting the NERC CIPs. In doing so, these utilities have actually made the grid less reliable even as they claim to be NERC CIP compliant or simply avoid the NERC CIP process. When most power plants, including many of the largest, are not NERC Critical Assets, the process is broken. These and other actions have turned the NERC CIP process into a game. A specific example of this was two years ago at an ISA Expo session. A NERC representative was asked if it would be possible to be NERC CIP compliant and still be fined for not meeting NERC reliability requirements. Unbelievably, the answer was YES! According to the NERC representative, the utility would be NERC CIP compliant if they implemented security policies, whether the policies were appropriate or not. However, if those same policies led to failures affecting grid reliability, the utility could be fined (up to $1 Million/day) even though it was deemed NERC CIP compliant! Taking the NERC assessment performed for the utility one step further, I mentioned you need control system-specific policies. The consultant took exception because NERC did not state you need control system policies for control systems. There have been many control system cyber incidents that have caused significant impacts that did not violate IT security policies or would not have been prevented by the NERC CIPs. What is needed is a set of metrics to audit that has relevance to actually securing the assets. Presently, that would be the NIST standards. What is the point of being compliant if you are not secure????? Joe Weiss