How seriously can NERC be taking the CIPS

FERC has recently approved NERC’s “Complete Violation Risk Factor Matrix Encompassing Each Commission Approved Reliability Standard”.  As stated on the NERC website “As NERC moves forward to become the Electric Reliability Organization (ERO) and enforcement of the NERC reliability standards and the requirements contained within begins, there will be a need to determine and specify the relative risk the violation of each requirement poses to the bulk electric system.  The requester proposes to develop a matrix (Violation Risk Matrix) delineating the relative risks associated with the violation of each NERC standard requirement.  The Violation Risk Matrix would be used for the initial basis for determining enforcement action for future violations.” The submittal includes other reliability standards besides the CIPs and identifies multiple items that are HIGH.  For standards such as vegetation control or ACE, it is straightforward to identify which standards are critical for maintaining the reliability of the bulk electric system.  However, for the CIPS, it is not nearly as straightforward. That is because cyber is addressing equipment and also external, intentional threats.  In the current violation matrix, there are 171 NERC CIP002-009 specific items– only 2 of which are considered HIGH and very few MEDIUM.  This means the infamous $1Million/day fine is toothless for the CIPs.

There is a need to reexamine the violation matrix. My thoughts would be there should be more than 100 individual requirements in CIP 002, 005, 006, and 007 that should be either HIGH or MEDIUM. The only requirements that should be LOW are those that are strictly paperwork-related.

How can NERC realistically expect utilities to take these standards seriously if the threat of large fines is toothless?

Joe Weiss
Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.

Comments

  • <p>Is there a link to the violation matrix, Joe? </p>

    Reply

  • <p> MANDATORY RELIABILITY STANDARDS FOR CRITICAL INFRASTRUCTURE PROTECTION SUPPLEMENTAL COMPLIANCE FILING OF THE NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION IN RESPONSE TO PARAGRAPHS 751 and 757 OF ORDER No. 706 – MANDATORY RELIABILITY STANDARDS FOR CRITICAL INFRASTRUCTURE PROTECTION<br /> SUBMISSION OF THIRTY-ONE PROPOSED VIOLATION RISK FACTORS </p> <p> Docket No. RM06-22-000 </p> <p> December 19, 2008<br /></p> <p>   </p> <p> Joe Weiss </p>

    Reply

RSS feed for comments on this page | RSS feed for all comments