The Federal Energy Regulatory Commission (FERC) Notice of Public Rulemaking (NOPR) has been issued for public comment and it should not come as a surprise. In December, the FERC Technical Staff issued their Technical Assessment of the North American Electric Reliability Council (NERC) Critical Infratsrcture Protection (CIP) cyber security standards. The general utility industry response was to attack the administrative issues and generally ignore the technical issues. People should understand why FERC chose to issue a NOPR. FERC has not issued NOPRs on other NERC reliability standards. If the NERC CIPs were even close to be being reasonable, there would have been no reason for a NOPR.
I believe an important issue is the NERC CIPs as written would not have prevented most, if not all, of the 90+ cyber events I have collected. If the CIPs can't even prevent events that have occurred including those that NERC was aware of, what good are they? At the Knoxville Control System Cyber Security Workshop next week, we will be discussing a major control system cyber event that occurred before the CIPs were written that resulted in multiple deaths and significant damage. The NERC CIPs would not have prevented that event, although the ICS version of NIST SP800-53 could have.
One of the FERC NOPR's big impacts will be on CIP-002. Today, many utilities have between zero and maybe 20-25 critical cyber assets. The real number of critical cyber assets for a mid-size utility should be on the order of many hundreds to thousands. That is, if the asset is connected, it is critical independent of size. Utilities that have performed NERC CIP compliance projects should reconsider the technical validity of their responses based on what will be demanded by the NOPR. The Final Report of the Northeast Blackout has many cyber recommendations, such as telecom, that were never implemented in the NERC CIPs. Those oversites are being corrected by the FERC NOPR. An additional impact of the FERC NOPR will be on non-electric utilities that affect the elctric grid. This includes co-generation units that provide power or other electric services to the grid. If those facilities are electronically connected, they will also be covered by the FERC NOPR.
Generally, regulation never accomplishes its true goal and only creates unnecessary confusion. In this specific case, the regulations being promulgated by the FERC NOPR are necessary, appropriate, and will make the utilities more secure. In fact, many of the presentations, discussions, and demonstrations at next week's Control System Cyber Security Workshop in Knoxville will actually provide a technical basis for the recommendations in the FERC NOPR.