The recent FERC letter to collect Aurora information has spawned some interesting reading. My comments are in red.Dale Peterson had a blog on his Digital Bond website today that states: "Unfortunately, there have also been suggestions that would delay risk reduction like throwing out the NERC CIP and replacing it with NIST SP800-53 (What's unfortunate about a document that requires utilities to do a complete job?). SP800-53 is a great document, but you have the large transmission and generation folks understanding terms like electronic security perimeters, critical cyber assets, and quoting CIP requirements (What's the point here - the large transmission and generation folks are not securing their systems). They are building security programs around that approach (that are not complete and allow them to exclude all kinds of critical systems). I cringe when I hear asset owners saying maybe we should wait because it looks like NERC CIP might change or be replaced. Even if you could snap your fingers and say replace CIP with SP800-53 it would set back efforts six months to a year. Even worse would be to start over with a new standard or wait for ISA SP99 Part 4 (what is worse about doing the right job?). There is momentum and improving security due to the NERC CIP's (dream on). I have seen it first hand both from utilities that have always cared about cyber security (pardon my incredulity because if they always cared they would have done a comprehensive job long ago) and those that are only doing it because of NERC CIP. The worse thing would be to derail this train (NO! The worse thing to do is let this train run to the end and have the biggest false sense of security we have ever had)."
Tom Kropp from EPRI responded to a note I wrote to CIGRE with the following:With due respect to Joe, his response to Marc's request is off the mark. U.S. Industry has responded responsibly to requests about their activities in response to the
National security is too important to have people who should know better making comments like this. I am ashamed for them.