NERC CIPs are not all inclusive - Control Engineering editorial

Yesterday, Peter Welander of Control Engineering provided the following editorial - Cyber Security Issues Take Center Stage in 2009. I completely agree with Peter’s thoughts that cyber security will become a big issue in 2009. However, I wanted to correct the impression being left by one statement: “First and foremost, the NERC CIP (National Electric Reliability Corporation Critical Infrastructure Protection) regulations are coming into effect now. This may only affect power plants and larger utilities for the time being, but what happens through this implementation could hit you sooner than later.”  I agree with his thoughts that security will affect the utilities sooner rather than later. However, the statement about power plants and small utilities is misleading. Currently, industry’s focus is on control centers and substations with most North American power plants classified as NOT being critical assets – consequently, not assessed. Secondly, small utilities are part of the NERC CIPs even though many consider themselves NOT to have critical assets because of their size. Hopefully, with the implementation of the NIST Framework, both of these limitations will change for the better.

Joe Weiss