Mike Assante is the Vice President and Chief Security Officer for NERC. April 7th, Mike issued a letter to industry - “Critical Cyber Asset Identification” based on the results of NERC’s recently completed self-certification compliance survey for NERC Reliability Standard CIP-002-1 – Critical Cyber Asset Identification for the period July 1 — December 31, 2008.
According to Mike:
Identification and documentation of the Critical Cyber Assets associated with the Critical Assets (CA) that support the reliable operation of the Bulk Electric System necessitates a comprehensive review of these considerations. The data submitted to us through the survey suggests entities may not have taken such a comprehensive approach in all cases, and instead relied on an “add in” approach, starting with an assumption that no assets are critical. A “rule out” approach (assuming every asset is a CA until demonstrated otherwise) may be better suited to this identification process. Accordingly, NERC is requesting that entities take a fresh, comprehensive look at their risk based methodology and their resulting list of CAs with a broader perspective on the potential consequences to the entire interconnected system of not only the loss of assets that they own or control, but also the potential misuse of those assets by intelligent threat actors.
According to Dale Peterson on the Digital Bond website:
NERC CIP has significantly reduced risk and improved the security posture of the bulk electric systems. And if you will excuse the argument by emphatic assertion, anyone who says it has not either does not understand security or has an interest in denying this. It is valid to argue if this was the most efficient way to approach the problem, or if more risk reduction was required faster, or if the definitions of cyber assets and critical cyber assets should have been more stringent, but I don’t see how an honest look at the results could deny major improvements in the security posture have occurred.
Who do you believe?