I wanted to provide my observations on Friday July 2’s NERC CIP Standards Drafting Team conference call. The call was critical, as the drafting team was to vote on a priority request from NERC to define the direction the CIP standards will take for the rest of the year to meet FERC and Congressional requests. The existing CIP-002 approach allows utilities to exclude assets at their discretion. On the call it was mentioned there are nuclear plants that are not considered NERC critical assets as well as high voltage transmission assets that are also not considered NERC critical assets. Unfortunately for all those expecting to have a cyber secure grid, the drafting team voted almost unanimously (16 for, 1 against) to change direction from the current CIP 010-011 draft approach which is more aligned with NIST (and I thought was significant progress) and reverted to an amended CIP-002. The current CIP 002-009 standards specifically exclude some of the recommendations of the final report of the 2003 Northeast Outage, as well as some NERC advisories. There have already been three large cyber-related outages in the US that would not have been prevented by the CIP 002-009 standards, even if they were fully implemented. I was appalled to hear someone try to justify this amended approach as being technically supportable – a junior engineer would laugh at it. Several major utilities stated that they did not want to have to spend the money to adequately secure the grid. The epitome of tone-deafness was from a utility in a state that is directly affected by the BP oil spill. The utility said they have almost 1400 substations but only 75 have IP connections. They do not want to have to secure the others, even though they could be just as vulnerable. It was also not clear if they would be pulling the IP connections from any of the 75 substations to make them “non-critical” and therefore exclude them from the NERC CIPs. If some question vulnerabilities with non-IP connections, recall the Aurora project, which did not involve IP connectivity and the industry has largely yet to address. Fundamentally, I don’t believe in government regulation. However, there is overwhelming evidence of the cyber vulnerability of the electric grid and cyber incidents continue to occur. For the good of the country, regulation is needed and soon!
Joe Weiss
