Have the NERC CIPs made the grid more secure - Who do you believe

May 31, 2009

Mike Assante is the Vice President and Chief Security Officer for NERC.  April 7th, Mike issued a letter to industry - “Critical Cyber Asset Identification” based on the results of NERC’s recently completed self-certification compliance survey for NERC Reliability Standard CIP-002-1 – Critical Cyber Asset Identification for the period July 1 — December 31, 2008.

Mike Assante is the Vice President and Chief Security Officer for NERC.  April 7th, Mike issued a letter to industry - “Critical Cyber Asset Identification” based on the results of NERC’s recently completed self-certification compliance survey for NERC Reliability Standard CIP-002-1 – Critical Cyber Asset Identification for the period July 1 — December 31, 2008.

According to Mike:
Identification and documentation of the Critical Cyber Assets associated with the Critical Assets (CA) that support the reliable operation of the Bulk Electric System necessitates a comprehensive review of these considerations. The data submitted to us through the survey suggests entities may not have taken such a comprehensive approach in all cases, and instead relied on an “add in” approach, starting with an assumption that no assets are critical. A “rule out” approach (assuming every asset is a CA until demonstrated otherwise) may be better suited to this identification process. Accordingly, NERC is requesting that entities take a fresh, comprehensive look at their risk based methodology and their resulting list of CAs with a broader perspective on the potential consequences to the entire interconnected system of not only the loss of assets that they own or control, but also the potential misuse of those assets by intelligent threat actors.

According to Dale Peterson on the Digital Bond website:
NERC CIP has significantly reduced risk and improved the security posture of the bulk electric systems. And if you will excuse the argument by emphatic assertion, anyone who says it has not either does not understand security or has an interest in denying this. It is valid to argue if this was the most efficient way to approach the problem, or if more risk reduction was required faster, or if the definitions of cyber assets and critical cyber assets should have been more stringent, but I don’t see how an honest look at the results could deny major improvements in the security posture have occurred.

Who do you believe?

Joe Weiss

Sponsored Recommendations

IEC 62443 4-1 Cyber Certification – Why ML 3 is So Important

The IEC 62443 Security for Industrial Automation and Control Systems - Part 4-1: Secure Product Development Lifecycle Requirements help increase resilience for control systems...

Multi-Server SCADA Maintenance Made Easy

See how the intuitive VTScada Services Page ensures your multi-server SCADA application remains operational and resilient, even when performing regular server maintenance.

Your Industrial Historical Database Should be Designed for SCADA

VTScada's Chief Software Architect discusses how VTScada's purpose-built SCADA historian has created a paradigm shift in industry expectations for industrial redundancy and performance...

Linux and SCADA – What You May Not Have Considered

There’s a lot to keep in mind when considering the Linux® Operating System for critical SCADA systems. See how the Linux security model compares to Windows® and Mac OS®.