Winning with NERC CIP and still losing
You can be NERC CIP compliant, and still get fined...
Many utilities will be spending a significant of time and resources on NERC CIP cyber security compliance. If you're a utility, there is a possibility that you may not be spending your money wisely and, worse, may have to spend it again.
In order to get a voting majority to approve the NERC CIP standards, the NERC CIP standards were developed with sufficient ambiguity and exclusions to enable a utility to minimize the number of assets to be addressed as part of the NERC CIP process. This has resulted in the number of critical cyber assets for a medium size utility being on the order of 20-50, not a more realistic number of several thousand.
For organizations that weren't involved in the CIP development process, this approach appeared to be less than adequate. Consequently, October 17, Congressional hearings were held (http://homeland.house.gov/) on "The Cyber Threat to Control Systems; Stronger Regulations are Necessary to Secure the Electric Grid". Additionally, on October 17, the House Homeland Security Committee issued a letter to the Chairman of FERC requesting an investigation of the industry response to the
A specific example of why one would care about the cyber security of the grid occurred at a panel session at ISA in