Tuesday, February 05, 2008
Several events have occurred since the beginning of the year that vendors and asset owners should be looking at:
- CIA Announcement of Successful Power Grid Attacks Outside of the US. While I have problems with the admission, the important note is that the CIA DID admit the penetrations
- NERC CIP accepted as is by FERC
- NERC CIP version 2 expected to start this year
- First rounds of NERC CIP compliance Due in 2008
- ISA Security Compliance Institute Stands up (this has been in place for a while but 2008 will prove to be the big kickoff year, I suspect)
- Availability of CS2SAT, the self-assessment tool developed by Idaho National Labs and others for the Department of Homeland Security
- ISA-99 Published a new revision of the Technical Report 1 and Part 1 in late 2007, with Part 2 due in the next couple of months
- Nearly every major vendor offers cybersecurity solutions today
- A recent explosion in companies offering cybersecurity services for NERC CIP and others
- President Bush’s 3.1 Trillion Dollar budget includes massive spending for industrial security and protection of North American Power Grids
It was the last note that “broke the camel’s back” for me… Everyone has been talking about this for years, but it looks to me like efforts and awareness have finally reached critical mass for some significant improvements over the next few years. It is clear that this is the beginning of a major wave. While there are many players, there still are very few leaders, but that field will begin to widen as well. A minor prediction: Expect more regulatory efforts and compliance expected by government agencies in the near future. Additional procurement specs and industry recognized standards and certification bodies will mean that asset owners will soon have much clearer choices. Now is the time for asset owners to make their requirements known, and now is the best opportunity for vendors and asset owners alike to be ahead of the curve. And this curve is not “bleeding edge.” The techniques and tools are known. The question is whether or not you will be able to demonstrate compliance now, or if you will have to scramble once any dates are set, or when the first customer refuses to buy a product because it does not meet industry certification.