NERC CIP Version 4 is REDUCING security while ignoring Stuxnet

On November 17th, the NERC Standards Drafting Team (SDT) voted on Version 4 of the NERC CIP Standards. The votes were heavily in favor of Version 4.  Enclosed are selected comments from one of the NO voters: “The 1500 MW criteria for Generation is too high and will miss too many generators and a lot of nuclear plants. We have regressed in the level of cyber security included in CIP Version 4 when compared to that of CIP Version 3. NERC will be hard pressed to show these standards will improve security for the Bulk Electric System.” Recall last year, Mike Assante wrote the NERC letter stating that more than 70% of the power plants in North America were not considered critical assets. Mike is no longer at NERC, so who is looking out for what should be considered critical? 

Another NERC SDT member mentioned the NERC CIPs won’t address systems inside power plants. Given that Stuxnet was introduced via a thumb drive (excluding non-routable protocols is one of several exclusions in the NERC CIPs) and the vulnerable Programmable Logic Controllers (PLCs) are inside the plants, Stuxnet and threats like Stuxnet will not be addressed by the NERC CIPs.

Shouldn’t the public expect a responsible effort to keep the grid secure? Legislation for Y2K was driven on the assumption that everyone knew of the problem and the industry was therefore obligated to address it. Consequently, officers and directors were personally liable. I felt the industry effort to address Y2K was responsible and laudable. Given everything that has been written about cyber security, doesn’t the same assumption hold for cyber security that held for Y2K? It would be fascinating to see how quickly the NERC CIPs would be scrapped and real security implemented if officers and directors were held personally liable.

Joe Weiss