The Inconsistency of the NERC CIPs

Per NERC Critical Infrastructure Protection Committee (CIPC) commitments, the NERC Control System Security Working Group (CSSWG) is updating a series of control system guidelines. One set of guidelines addresses the electronic connectivity between control systems and business networks. When asked if serial communications should be considered, one utility’s response was they had serial communications between their data acquisition systems and the business network and therefore serial communications should be included. This is obviously in contradiction to the NERC CIPs which explicitly exclude serial communications. If the NERC CSSWG guidelines will include serial, why doesn’t the NERC CIPs address these KNOWN control system cyber vulnerabilities which can, and have, affected grid reliability.

Joe Weiss