Why should auditors, who do not understand the electric grid, be leading an effort to secure it

Feb. 28, 2011

Steve Parker is an official NERC auditor and a member of the National Electric Sector Cybersecurity Organization (NESCO). He commented on my post about NESCO's ineptitude and the nature of the NERC CIPs.

The NERC CIPs are inherently a weak set of standards. The most direct demonstration of the deficiencies of the NERC CIPs is applying them would not have prevented the cyber-related electric outages that have already occurred.
Steve Parker is an official NERC auditor and a member of the National Electric Sector Cybersecurity Organization (NESCO). He commented on my post about NESCO's ineptitude and the nature of the NERC CIPs.
The NERC CIPs are inherently a weak set of standards. The most direct demonstration of the deficiencies of the NERC CIPs is applying them would not have prevented the cyber-related electric outages that have already occurred.
The NERC CIP standards were developed for modern IT-based SCADA systems not legacy field control systems. How much training has been provided to auditors on the reliability of the electric grid and the legacy field control systems they are auditing?
A utility can NOT be secure when much of the electric system has been excluded from the NERC CIP process! I am aware of several utilities that have been penalized by auditors for doing MORE than what's required by the NERC CIPs. That seems counterproductive to me. It certainly doesn't seem like a reason to celebrate.
Stacy Bresler (part of NESCO and working with Steve Parker) said he has audited approximately 30 entities as an official NERC CIP auditor and says he has found many more than just 2 utilities who are trying to secure their systems and not just CIP identified cyber assets. How is that possible when these utilities are not addressing electric distribution, non-routable protocols, Aurora, Stuxnet, etc?  I do not know of any utility with CONTROL SYSTEM cyber security policies. Have you or your team penalized a utility because it didn’t have CONTROL SYSTEM cyber security policies even though inappropriate cyber security policies have actually caused control system cyber incidents? There have been several control system cyber incidents with utilities in the West. Have your audits addressed how these utilities would, or have, addressed actual control system cyber incidents? 
Steve- you and Stacy have provided ample examples of the ineptitude of NESCO. Shouldn’t DOE rethink what will be a major mistake? I will celebrate when I feel industry is taking the right steps to keep the lights on.
Joe Weiss