NERC CIP Version 4 is REDUCING security while ignoring Stuxnet

Nov. 22, 2010

On November 17th, the NERC Standards Drafting Team (SDT) voted on Version 4 of the NERC CIP Standards. The votes were heavily in favor of Version 4.  Enclosed are selected comments from one of the NO voters: “The 1500 MW criteria for Generation is too high and will miss too many generators and a lot of nuclear plants. We have regressed in the level of cyber security included in CIP Version 4 when compared to that of CIP Version 3.

On November 17th, the NERC Standards Drafting Team (SDT) voted on Version 4 of the NERC CIP Standards. The votes were heavily in favor of Version 4.  Enclosed are selected comments from one of the NO voters: “The 1500 MW criteria for Generation is too high and will miss too many generators and a lot of nuclear plants. We have regressed in the level of cyber security included in CIP Version 4 when compared to that of CIP Version 3. NERC will be hard pressed to show these standards will improve security for the Bulk Electric System.” Recall last year, Mike Assante wrote the NERC letter stating that more than 70% of the power plants in North America were not considered critical assets. Mike is no longer at NERC, so who is looking out for what should be considered critical? 

Another NERC SDT member mentioned the NERC CIPs won’t address systems inside power plants. Given that Stuxnet was introduced via a thumb drive (excluding non-routable protocols is one of several exclusions in the NERC CIPs) and the vulnerable Programmable Logic Controllers (PLCs) are inside the plants, Stuxnet and threats like Stuxnet will not be addressed by the NERC CIPs.

Shouldn’t the public expect a responsible effort to keep the grid secure? Legislation for Y2K was driven on the assumption that everyone knew of the problem and the industry was therefore obligated to address it. Consequently, officers and directors were personally liable. I felt the industry effort to address Y2K was responsible and laudable. Given everything that has been written about cyber security, doesn’t the same assumption hold for cyber security that held for Y2K? It would be fascinating to see how quickly the NERC CIPs would be scrapped and real security implemented if officers and directors were held personally liable.

Joe Weiss

Sponsored Recommendations

Measurement instrumentation for improving hydrogen storage and transport

Hydrogen provides a decarbonization opportunity. Learn more about maximizing the potential of hydrogen.

Get Hands-On Training in Emerson's Interactive Plant Environment

Enhance the training experience and increase retention by training hands-on in Emerson's Interactive Plant Environment. Build skills here so you have them where and when it matters...

Learn About: Micro Motion™ 4700 Config I/O Coriolis Transmitter

An Advanced Transmitter that Expands Connectivity

Learn about: Micro Motion G-Series Coriolis Flow and Density Meters

The Micro Motion G-Series is designed to help you access the benefits of Coriolis technology even when available space is limited.