[This comment is in reponse to Joe Weiss' Unfettered blog entry of Jan.]
You're naÏve if you believe what you write about NERC CIP. I "visited" 56 entities, and while I'll grant you everyone games the system to their advantage, all 56 were way, way, way more secure after NERC CIP compelled them to allocate resources and take the threat seriously. Nobody believes the standards are great, but how can someone with a giant brain like yours honestly say they're "not making the grid more secure and reliable?"
The grid is a 1,000 times more secure than in the mid-2000s when almost nothing was in place, and people surfed the web from HMIs.
One mistake you make is to lump all "grid insecurity" into a meta-domain. The intended goal of NERC CIP is to lower risks to the BES, plain and simple. This scope does not worry about distribution, since distribution does not typically threaten the BES (besides potentially far-fetched scenarios). Not to say distribution outages don't hurt or even cost lives, but they're not the BES and thus out of scope.
One respectful jab at Larry [editor's note: this is another commenter]: Cool-sounding technology, but if you honestly think "cybersecurity is a technology problem," you don't really understand cybersecurity. Give me the greatest and most secure technology in the world, and I'll draw up a dozen scenarios where it can be abused, misused, atrophied and faulty-processed into blatant insecurity. Cybersecurity is a multi-faceted problem that begins long before technology is in question, at the earliest stages of problem definition. It is first and foremost an attitude problem.
I apologize to you, Joe, for totally cracking on you. I respect you and I agree with so much of what you post. For instance, I love your emphasis on the control layer! Many people try to say this, but you put it best (and probably you said it first).
