How seriously can NERC be taking the CIPS

Jan. 5, 2009
FERC has recently approved NERC’s “Complete Violation Risk Factor Matrix Encompassing Each Commission Approved Reliability Standard”.  As stated on the NERC website “As NERC moves forward to become the Electric Reliability Organization (ERO) and enforcement of the NERC reliability standards and the requirements contained within begins, there will be a need to determine and specify the relative risk the violation of each requirement poses to the bulk electric system.  The requester proposes to develop a matrix (Violation Risk Matrix) delineating the relative risks associated with the
FERC has recently approved NERC’s “Complete Violation Risk Factor Matrix Encompassing Each Commission Approved Reliability Standard”.  As stated on the NERC website “As NERC moves forward to become the Electric Reliability Organization (ERO) and enforcement of the NERC reliability standards and the requirements contained within begins, there will be a need to determine and specify the relative risk the violation of each requirement poses to the bulk electric system.  The requester proposes to develop a matrix (Violation Risk Matrix) delineating the relative risks associated with the violation of each NERC standard requirement.  The Violation Risk Matrix would be used for the initial basis for determining enforcement action for future violations.” The submittal includes other reliability standards besides the CIPs and identifies multiple items that are HIGH.  For standards such as vegetation control or ACE, it is straightforward to identify which standards are critical for maintaining the reliability of the bulk electric system.  However, for the CIPS, it is not nearly as straightforward. That is because cyber is addressing equipment and also external, intentional threats.  In the current violation matrix, there are 171 NERC CIP002-009 specific items– only 2 of which are considered HIGH and very few MEDIUM.  This means the infamous $1Million/day fine is toothless for the CIPs. There is a need to reexamine the violation matrix. My thoughts would be there should be more than 100 individual requirements in CIP 002, 005, 006, and 007 that should be either HIGH or MEDIUM. The only requirements that should be LOW are those that are strictly paperwork-related. How can NERC realistically expect utilities to take these standards seriously if the threat of large fines is toothless? Joe Weiss

Sponsored Recommendations

Make Effortless HMI and PLC Modifications from Anywhere

The tiny EZminiWiFi is a godsend for the plant maintenance engineers who need to make a minor modification to the HMI program or, for that matter, the PLC program. It's very easy...

The Benefits of Using American-Made Automation Products

Discover the benefits of American-made automation products, including stable pricing, faster delivery, and innovative features tailored to real-world applications. With superior...

50 Years of Automation Innovation and What to Expect Next

Over the past 50 years, the automation technology landscape has changed dramatically, but many of the underlying industry needs remain unchanged. To learn more about what’s changed...

Manufacturing Marvels Highlights Why EZAutomation Is a Force to Be Reckoned With

Watch EZAutomation's recent feature on the popular FOX Network series "Manufacturing Marvels" and discover what makes them a force to be reckoned with in industrial automation...