Tuesday was an interesting day. Mike Assante, NERC’s Vice President and Chief Security Officer, issued a letter on the status of CIP-002 – Critical Asset Identification.
It is a scathing indictment of the electric industry. Concurrently, the Wall Street Journal issued the story about hacking of the electric grid. I want to focus on what I consider to be the more important issue- Mike’s letter. The two points to remember are the NERC CIPs are meant to maintain bulk electric grid reliability and they are specifically for cyber security. Mike very aptly points out that cyber relies on the “weakest link in the chain” principle so that excluding so many assets precludes an adequate cyber assessment of the system. The electric utilities have used NERC CIP-002 to minimize their self-designated critical assets. Since CIP-002 is the funnel for the rest of the CIP cyber security standards, assets self-designated as non-critical require no further cyber security review. What is clear from Mike’s letter is that far too many utilities do not view it as important to secure their electric assets – it is compliance for compliance sake. Additionally, what is not in Mike’s assessment is that some utilities are actually reducing grid reliability by removing black start capability and pulling IP connections in order to avoid the NERC CIPs, and most utilities not having self-designated critical generation assets are also not addressing Aurora.
There are now two other very important programs that are looking to hang their hats on the NERC CIPs:
- Nuclear plant continuity of power
- Smart Grid
Both of these functional areas are explicitly excluded from the current version of the NERC CIPs. If they are to be included as FERC is proposing in Order 706B for nuclear and the Smart Grid Policy for Smart Grid, the NERC CIPs need to be modified to remove these exclusions. Consequently, removing CIP-002 will enable the CIP standards to become much closer to the NIST Standards and prudent engineering.
This country is suffering immensely from the self regulation of the financial industry- we cannot afford our critical infrastructures to suffer the same fate.