Have the NERC CIPs made the grid more secure - Who do you believe

Mike Assante is the Vice President and Chief Security Officer for NERC.  April 7th, Mike issued a letter to industry - “Critical Cyber Asset Identification” based on the results of NERC’s recently completed self-certification compliance survey for NERC Reliability Standard CIP-002-1 – Critical Cyber Asset Identification for the period July 1 — December 31, 2008.

According to Mike:
Identification and documentation of the Critical Cyber Assets associated with the Critical Assets (CA) that support the reliable operation of the Bulk Electric System necessitates a comprehensive review of these considerations. The data submitted to us through the survey suggests entities may not have taken such a comprehensive approach in all cases, and instead relied on an “add in” approach, starting with an assumption that no assets are critical. A “rule out” approach (assuming every asset is a CA until demonstrated otherwise) may be better suited to this identification process. Accordingly, NERC is requesting that entities take a fresh, comprehensive look at their risk based methodology and their resulting list of CAs with a broader perspective on the potential consequences to the entire interconnected system of not only the loss of assets that they own or control, but also the potential misuse of those assets by intelligent threat actors.

According to Dale Peterson on the Digital Bond website:
NERC CIP has significantly reduced risk and improved the security posture of the bulk electric systems. And if you will excuse the argument by emphatic assertion, anyone who says it has not either does not understand security or has an interest in denying this. It is valid to argue if this was the most efficient way to approach the problem, or if more risk reduction was required faster, or if the definitions of cyber assets and critical cyber assets should have been more stringent, but I don’t see how an honest look at the results could deny major improvements in the security posture have occurred.

Who do you believe?

Joe Weiss

What are your comments?

You cannot post comments until you have logged in. Login Here.

Comments

  • Both Gentlemen can be correct. 

    Dale is looking at what the industry has done compared to what it had been doing. Mike is looking at where it is going compared to where he feels it should be going.  

    No, we are not where we should be; but people are starting to think about this stuff. That's a vast improvement over the head-in-the-sand approach used by so many just a few years ago. 

    Yes, the effort is often haphazard, misguided, counterproductive, and all that. Mike is right too. There ARE some big mistakes being perpetrated. However, this is what happens when there aren't sufficient people available who understand the technologies, the standards, and the actual goals.

    What we need is experience and feedback to this compliance-based approach. I've said this before and it is worth repeating here too:

    Until there is a signficant, experienced community of people who understand the goals, the technologies, and the limitations between them, we'll have to resort to a compliance approach to push people toward rote actions where they may see some improvement. They'll do these things because the standard says to. Hopefully, they'll see the wisdom in doing things this way, and then either update the standard that got them started, or do away with it entirely in favor of a more flexible, comprehensive approach.

    I wish it were possible to make the leap in to full fleged security overnight. However, as you pointed out earlier, even top flight consulting firms can't seem to get this right. We need a step between these two states.  It will take time.

    We need voices like yours; however, to continually beat the drum, and let people know that we're not secure yet. The dangerous part about Dale's advice is that it leads people toward complacency. We have come a long way, but we still have an even longer way to go.  

     

    Jake Brodsky

    Reply

  • Enclosed are the links to Mike Assante's letter and Dale Peterson's blog:

    Mike's letter is at http://www.nerc.com/fileUploads/File/News/CIP-002-Identification-Letter-040709.pdf

    Dale's  link is www.digitalbond.com

     

    Joe Weiss

    Reply

RSS feed for comments on this page | RSS feed for all comments