Control systems are NERC Compliant – buyer beware

Jan. 7, 2009
Many IT and control system vendors are claiming to offer NERC CIP-compliant products.  That makes for great marketing hype. However, the NERC CIPs are written for end-users to validate their comprehensive security program, not for vendors. In the January issue of Power Magazine, Dr. Bob Peltier states: “…the (Siemens) T3000 (DCS) is fully compliant with NERC Standards CIP-002 - CIP-009…”. This obviously makes no sense. For example, CIP-002 is Critical Cyber Asset Identification and CIP-008 is Incident Reporting and Response Planning.
Many IT and control system vendors are claiming to offer NERC CIP-compliant products.  That makes for great marketing hype. However, the NERC CIPs are written for end-users to validate their comprehensive security program, not for vendors. In the January issue of Power Magazine, Dr. Bob Peltier states: “…the (Siemens) T3000 (DCS) is fully compliant with NERC Standards CIP-002 - CIP-009…”. This obviously makes no sense. For example, CIP-002 is Critical Cyber Asset Identification and CIP-008 is Incident Reporting and Response Planning. What does this have to do with equipment vendors and their products? End-users need to ask the right questions. Joe Weiss