How seriously can NERC be taking the CIPS

Jan. 5, 2009
FERC has recently approved NERC’s “Complete Violation Risk Factor Matrix Encompassing Each Commission Approved Reliability Standard”.  As stated on the NERC website “As NERC moves forward to become the Electric Reliability Organization (ERO) and enforcement of the NERC reliability standards and the requirements contained within begins, there will be a need to determine and specify the relative risk the violation of each requirement poses to the bulk electric system.  The requester proposes to develop a matrix (Violation Risk Matrix) delineating the relative risks associated with the
FERC has recently approved NERC’s “Complete Violation Risk Factor Matrix Encompassing Each Commission Approved Reliability Standard”.  As stated on the NERC website “As NERC moves forward to become the Electric Reliability Organization (ERO) and enforcement of the NERC reliability standards and the requirements contained within begins, there will be a need to determine and specify the relative risk the violation of each requirement poses to the bulk electric system.  The requester proposes to develop a matrix (Violation Risk Matrix) delineating the relative risks associated with the violation of each NERC standard requirement.  The Violation Risk Matrix would be used for the initial basis for determining enforcement action for future violations.” The submittal includes other reliability standards besides the CIPs and identifies multiple items that are HIGH.  For standards such as vegetation control or ACE, it is straightforward to identify which standards are critical for maintaining the reliability of the bulk electric system.  However, for the CIPS, it is not nearly as straightforward. That is because cyber is addressing equipment and also external, intentional threats.  In the current violation matrix, there are 171 NERC CIP002-009 specific items– only 2 of which are considered HIGH and very few MEDIUM.  This means the infamous $1Million/day fine is toothless for the CIPs. There is a need to reexamine the violation matrix. My thoughts would be there should be more than 100 individual requirements in CIP 002, 005, 006, and 007 that should be either HIGH or MEDIUM. The only requirements that should be LOW are those that are strictly paperwork-related. How can NERC realistically expect utilities to take these standards seriously if the threat of large fines is toothless? Joe Weiss