Have the NERC CIPs made the grid more secure - Who do you believe

May 31, 2009

Mike Assante is the Vice President and Chief Security Officer for NERC.  April 7th, Mike issued a letter to industry - “Critical Cyber Asset Identification” based on the results of NERC’s recently completed self-certification compliance survey for NERC Reliability Standard CIP-002-1 – Critical Cyber Asset Identification for the period July 1 — December 31, 2008.

Mike Assante is the Vice President and Chief Security Officer for NERC.  April 7th, Mike issued a letter to industry - “Critical Cyber Asset Identification” based on the results of NERC’s recently completed self-certification compliance survey for NERC Reliability Standard CIP-002-1 – Critical Cyber Asset Identification for the period July 1 — December 31, 2008.

According to Mike:
Identification and documentation of the Critical Cyber Assets associated with the Critical Assets (CA) that support the reliable operation of the Bulk Electric System necessitates a comprehensive review of these considerations. The data submitted to us through the survey suggests entities may not have taken such a comprehensive approach in all cases, and instead relied on an “add in” approach, starting with an assumption that no assets are critical. A “rule out” approach (assuming every asset is a CA until demonstrated otherwise) may be better suited to this identification process. Accordingly, NERC is requesting that entities take a fresh, comprehensive look at their risk based methodology and their resulting list of CAs with a broader perspective on the potential consequences to the entire interconnected system of not only the loss of assets that they own or control, but also the potential misuse of those assets by intelligent threat actors.

According to Dale Peterson on the Digital Bond website:
NERC CIP has significantly reduced risk and improved the security posture of the bulk electric systems. And if you will excuse the argument by emphatic assertion, anyone who says it has not either does not understand security or has an interest in denying this. It is valid to argue if this was the most efficient way to approach the problem, or if more risk reduction was required faster, or if the definitions of cyber assets and critical cyber assets should have been more stringent, but I don’t see how an honest look at the results could deny major improvements in the security posture have occurred.

Who do you believe?

Joe Weiss

Sponsored Recommendations

Municipalities are utilizing inline total solids measurements to enhance sludge thickening, lower polymer usage and cut operational expenses.
Carbon dioxide is increasingly recognized as a vital resource with significant economic potential. While the conversion of carbon dioxide into products is still in its infancy...
Discover our wide range of temperature transmitters that convert sensor signals from RTDs and thermocouples into stable and standardized output signals!
An innovative amine absorption-based carbon capture process enables retrofitting of existing industrial facilities to reduce emissions in hard-to-abate sectors, with advanced ...