From Joe Weiss:
Several major electric utilities and NERC auditors have demonstrated the inanity NERC CIP implementation.
- An IT security person from PG&E stated he would maintain the integrity of the firewalls even if it meant it would turn the lights off. His job was security not operations, and that came first.
- Since the NERC CIPs mandate anti-malware and anti-virus protection, some large utilities, including Con Ed and PSE&G, are mandating protective relays to have malware protection even though adding this function will reduce the effectiveness and function of the relay. All this just to avoid Technical Feasibility Exemptions (TFEs).
- NERC CIP auditors have fined utilities for attempting to make their utilities more secure than the NERC CIPs. Can you imagine being fined for trying to be more secure than NERC’s minimum bar?
- NERC auditors allow inappropriate policies because the CIPs only require policies, not APPROPRIATE policies.
Control systems are engineered systems implemented for the purpose of keeping lights on, not providing security. These are systems not just individual components.
Who is in charge of the asylum?