NERC and NEI (Nuclear Energy Institute) are attempting to define “bright lines” that use the size of generation, load, and facilities as tests for registration and reliability standard compliance for cyber security. However, cyber security is about interconnectivity and system impacts. It is important to understand how data and processes impact the operation of the system. The concern should only shift to the component to consider specific scenarios or to measure some of the possible consequences that could affect systems. Otherwise utilities can, and have, used the N-1 criteria which is size-related to justify having minimal to no critical assets. There have already been control system cyber incidents with equipment that would not have met the “bright line” criteria. Consequently, “bright lines” should not be the defining criteria for cyber security.
Joe Weiss