FERC plays Solomon with the NERC CIPs

FERC approves cyber security standards-- sort of The NERC critical infrastructure protection (CIP) reliability standards to protect the nation's bulk power system against potential cyber security impacts have drawn passionate partisans-those who believe they are sufficient (NERC and the utilities); and those that believe they are not adequate (Congress, control system experts, cyber security experts, etc). Today, the Federal Energy Regulatory Commission (FERC) effectively played Solomon and approved the eight "new" mandatory CIP standards in a manner that pleased neither side. FERC's approach was to approve the NERC CIP standards with required modifications. The fact that FERC approved the CIPS with modifications does not please NERC or the utilities. The fact that FERC did not include all of the proposed modifications and make NIST SP800-53 immediately applicable did not please those who feel more rigor is required. FERC will continue to monitor the situation and make appropriate changes. It is also not clear what NERC and the utilities will do to respond to the FERC required modifications. However, utilities should be aware that a response to the NERC CIPs without meeting the FERC required modifications could very well result in not meeting an audit and requiring additional resources. Joe Weiss More at: http://www.ferc.gov/news/news-releases/2008/2008-1/01-17-08-E-2.asp