The NERC CIP process is broken and is not likely to be fixable

The recent DOE Inspector General's (IG) report on grid security reads very close to my testimony to Senator Rockefeller’s Commerce Committee almost two years ago – nothing much substantial has changed.  The NERC CIP process is based on a consensus standards approach. That is ludicrous.  Regulatees do not create their own regulations. Change it or scrap the entire NERC CIP process.
The cottage industry formed around supporting NERC CIP is composed of too many people who have no idea of how the electric industry works.  The job of the consultants is to produce compliance reports that minimize the number of assets to be addressed and the utilities do not take a critical look at the drivel they have been given.
The auditors use a checkbox approach to a ludicrous end. Utilities that have tried to go beyond NERC CIPs have been penalized because it wasn’t in the box.
The core of the NERC CIPs is technically flawed:
- There is no such thing as an electronic security perimeter when you can access critical assets from a hotel room hundreds to thousands of miles away.
- Cyber is a communication not size problem. The Brightline criteria of NERC CIP Version 4 is completely irrelevant for cyber and is only useful for utilities trying to justify what not to address. The August 2003 blackout that affected 50 Million people involved transmission lines that would not meet the Version 4 Brightline criteria.
- Exclusions for non-routable protocols are ludicrous. They are cyber vulnerable and make up most of the communications in utility operations.
- Excluding distribution is technically ludicrous even though the industry is hanging their hat on legislation preventing FERC from addressing distribution. Electrons do not have organization charts – they move from generation to transmission to distribution.
The emperor wears no clothes and the industry refuses to open their eyes. Kudos to the DOE IG.
Joe Weiss