Have the NERC CIPs made the grid more secure - Who do you believe

    May 31, 2009

    Mike Assante is the Vice President and Chief Security Officer for NERC.Ā  April 7th, Mike issued a letter to industry - ā€œCritical Cyber Asset Identificationā€ based on the results of NERCā€™s recently completed self-certification compliance survey for NERC Reliability Standard CIP-002-1 ā€“ Critical Cyber Asset Identification for the period July 1 ā€” December 31, 2008.

    Mike Assante is the Vice President and Chief Security Officer for NERC.Ā  April 7th, Mike issued a letter to industry - ā€œCritical Cyber Asset Identificationā€ based on the results of NERCā€™s recently completed self-certification compliance survey for NERC Reliability Standard CIP-002-1 ā€“ Critical Cyber Asset Identification for the period July 1 ā€” December 31, 2008.

    According to Mike:
    Identification and documentation of the Critical Cyber Assets associated with the Critical Assets (CA) that support the reliable operation of the Bulk Electric System necessitates a comprehensive review of these considerations. The data submitted to us through the survey suggests entities may not have taken such a comprehensive approach in all cases, and instead relied on an ā€œadd inā€ approach, starting with an assumption that no assets are critical. A ā€œrule outā€ approach (assuming every asset is a CA until demonstrated otherwise) may be better suited to this identification process. Accordingly, NERC is requesting that entities take a fresh, comprehensive look at their risk based methodology and their resulting list of CAs with a broader perspective on the potential consequences to the entire interconnected system of not only the loss of assets that they own or control, but also the potential misuse of those assets by intelligent threat actors.

    According to Dale Peterson on the Digital Bond website:
    NERC CIP has significantly reduced risk and improved the security posture of the bulk electric systems. And if you will excuse the argument by emphatic assertion, anyone who says it has not either does not understand security or has an interest in denying this. It is valid to argue if this was the most efficient way to approach the problem, or if more risk reduction was required faster, or if the definitions of cyber assets and critical cyber assets should have been more stringent, but I donā€™t see how an honest look at the results could deny major improvements in the security posture have occurred.

    Who do you believe?

    Joe Weiss

    Continue Reading

    Sponsored Recommendations

    The tiny EZminiWiFi is a godsend for the plant maintenance engineers who need to make a minor modification to the HMI program or, for that matter, the PLC program. It's very easy...
    Discover the benefits of American-made automation products, including stable pricing, faster delivery, and innovative features tailored to real-world applications. With superior...
    Over the past 50 years, the automation technology landscape has changed dramatically, but many of the underlying industry needs remain unchanged. To learn more about whatā€™s changed...
    Watch EZAutomation's recent feature on the popular FOX Network series "Manufacturing Marvels" and discover what makes them a force to be reckoned with in industrial automation...

    Latest from Home

    Control Talk June 2025 cartoon
    Source: Trihedral Engineering/AI
    VTScada is built around its own enterprise historian, so every backup server in an application can be bidirectionally synchronized.

    Most Read

    Sponsored