Initially, I wondered about the value of the NERC-CIP standard (
http://www.nerc.com/page.php?cid=2|20) that allowed me to opt-out by not defining any of my assets as critical cyber assets (CCA). Furthermore, defining the electronic security perimeter (ESP) is another challenge because if you touch the Internet anywhere you can be touched from anywhere. So, in some sense, you have no perimeter. In my simple way of thinking about these things it seems the only real perimeter is an air gap. However, the process is maturing and companies are developing clear, defensible, and documented processes for defining CCAs and ESPs.
Obviously, the rules changed when FERC stepped into the game (
http://www.ferc.gov/news/news-releases/2008/2008-1/01-17-08-E-2.asp) and industry had no choice but to take NERC-CIP serious. Up to $1M per day is certainly a motivator and compliance is at least measurable through audits, but are the systems measurably more secure? What kind of security metrics have been collected to compare the state of the system before and after compliance? And what about the ROI of NERC-CIP? Has anyone made the argument that compliance with NERC-CIP will actually pay dividends in addition to avoiding hefty fines?
If I assume that one day even my refrigerator (along with all other “smart” appliances
http://www.sciencentral.com/video/2008/10/17/smart-appliances/) will be compliant with NERC-CIP, where do we go from there to continuously improve security? The NERC-CIP is a good place to start, but for those of us in the security business, we know that security is a journey and not a destination.
- Perry