1. Home

NERC CIP Version 4 is REDUCING security while ignoring Stuxnet

Nov. 22, 2010

On November 17th, the NERC Standards Drafting Team (SDT) voted on Version 4 of the NERC CIP Standards. The votes were heavily in favor of Version 4.  Enclosed are selected comments from one of the NO voters: “The 1500 MW criteria for Generation is too high and will miss too many generators and a lot of nuclear plants. We have regressed in the level of cyber security included in CIP Version 4 when compared to that of CIP Version 3.

On November 17th, the NERC Standards Drafting Team (SDT) voted on Version 4 of the NERC CIP Standards. The votes were heavily in favor of Version 4.  Enclosed are selected comments from one of the NO voters: “The 1500 MW criteria for Generation is too high and will miss too many generators and a lot of nuclear plants. We have regressed in the level of cyber security included in CIP Version 4 when compared to that of CIP Version 3. NERC will be hard pressed to show these standards will improve security for the Bulk Electric System.” Recall last year, Mike Assante wrote the NERC letter stating that more than 70% of the power plants in North America were not considered critical assets. Mike is no longer at NERC, so who is looking out for what should be considered critical? 

Another NERC SDT member mentioned the NERC CIPs won’t address systems inside power plants. Given that Stuxnet was introduced via a thumb drive (excluding non-routable protocols is one of several exclusions in the NERC CIPs) and the vulnerable Programmable Logic Controllers (PLCs) are inside the plants, Stuxnet and threats like Stuxnet will not be addressed by the NERC CIPs.

Shouldn’t the public expect a responsible effort to keep the grid secure? Legislation for Y2K was driven on the assumption that everyone knew of the problem and the industry was therefore obligated to address it. Consequently, officers and directors were personally liable. I felt the industry effort to address Y2K was responsible and laudable. Given everything that has been written about cyber security, doesn’t the same assumption hold for cyber security that held for Y2K? It would be fascinating to see how quickly the NERC CIPs would be scrapped and real security implemented if officers and directors were held personally liable.

Joe Weiss

Continue Reading

Sponsored Recommendations

Make Effortless HMI and PLC Modifications from Anywhere

The tiny EZminiWiFi is a godsend for the plant maintenance engineers who need to make a minor modification to the HMI program or, for that matter, the PLC program. It's very easy...

The Benefits of Using American-Made Automation Products

Discover the benefits of American-made automation products, including stable pricing, faster delivery, and innovative features tailored to real-world applications. With superior...

50 Years of Automation Innovation and What to Expect Next

Over the past 50 years, the automation technology landscape has changed dramatically, but many of the underlying industry needs remain unchanged. To learn more about what’s changed...

Manufacturing Marvels Highlights Why EZAutomation Is a Force to Be Reckoned With

Watch EZAutomation's recent feature on the popular FOX Network series "Manufacturing Marvels" and discover what makes them a force to be reckoned with in industrial automation...

Latest from Home

shutterstock_2407457999
shutterstock_2366137569
shutterstock_1830740018

Most Read

Sponsored