Winning with NERC CIP and still losing

You can be NERC CIP compliant, and still get fined...


Many utilities will be spending a significant of time and resources on NERC CIP cyber security compliance. If you're a utility, there is a possibility that you may not be spending your money wisely and, worse, may have to spend it again.


In order to get a voting majority to approve the NERC CIP standards, the NERC CIP standards were developed with sufficient ambiguity and exclusions to enable a utility to minimize the number of assets to be addressed as part of the NERC CIP process. This has resulted in the number of critical cyber assets for a medium size utility being on the order of 20-50, not a more realistic number of several thousand.


For organizations that weren't involved in the CIP development process, this approach appeared to be less than adequate. Consequently, October 17, Congressional hearings were held ( on "The Cyber Threat to Control Systems; Stronger Regulations are Necessary to Secure the Electric Grid". Additionally, on October 17, the House Homeland Security Committee issued a letter to the Chairman of FERC requesting an investigation of the industry response to the Aurora vulnerability (as shown on CNN). The reason for the hearings and the letter are the shortcomings of the NERC CIP standards and industry's response to the ES ISAC Advisory.


A specific example of why one would care about the cyber security of the grid occurred at a panel session at ISA in Houston in October. A NERC representative stated that if security policies were employed, whether they were appropriate or not, the utility would be NERC CIP compliant. The NERC representative went on to discuss the infamous $1 Million/day fines for not meeting reliability criteria. When asked about the hypothetical situation where a utility utilizes inappropriate policies that could impact reliability, the NERC representative stated the utility would be compliant and yet potentially fined. Consequently, it is in each of your best interests to revisit what you are trying to accomplish- game the system or secure your assets.