The nomination window for the next NERC CIP drafting team has opened, and nominations are due on 7/28/2008, link is available here. This effort comes hot on the heels of the SAR comment team’s completion of the comment review from the last round of the NERC CIP documents.  Further it represents a critical and important next step in the evolution of the NERC CIP documents and for the general security protection requirements and regulatory efforts for North American bulk power systems protection from cyber security events.

There is a lot of good news in this, and some items that we as industry professionals must really pay attention to. First off, the protection of our electrical systems and critical infrastructure is gaining more attention throughout North America including utility operators and owners, government officials, industry experts, and others. That is definitely good news. Also, it is well known that while the NERC CIP documents definitely created more awareness for industrial cyber security, they have also received some criticism as not being quite enough. As I participated in the SAR team, it was evident that most of the players involved now really are taking this seriously and a good faith effort is underway to continue to build the strength of these regulatory requirements, and to drive more effective practices across generation and distribution.

On the bad side…… so much effort can cause confusion, and when confusion exists, some will delay until the dust settles. Others will early adopt and then they take the chance that if there are significant changes, then they may incur increased costs. Delays in action, inconsistency, difficulty in interpretation, all of these can hamper success.

But, these are risks common to any project, and ones that I am not nearly so concerned with as this one: Focusing too much on something like NERC CIP while ignoring other aspects of security discipline. I have spoken to several utilities in the past few months, and have been noticing a disturbing message. I have known several utilities that had infrastructure improvement plans that are now put on hold for NERC CIP, and several others that have stalled any security improvements until NERC CIP is final or they complete their compliance effort.

Remember that something like NERC CIP is not there just to check the box. If you are using an automated compliance solution, or endless spreadsheets, and tons of assessments, don’t get too comfortable that NERC CIP is handled and security is addressed. While we all use tools, the end result shouldn’t just be “I passed.” The point of NERC CIP activities and similar is that they should drive greater awareness and create a greater sense of ownership in protecting our organizations against cyber risk.

The bulk electric systems in many cases are aging infrastructures, and we as a whole face a number of major challenges in technology, engineering disciplines, workforce modernization, and security as well. Rather than put infrastructure improvement projects on hold, we should be focusing heavily on designing implementing the next generation of systems, and they should include security as part of the design. We should be moving these efforts forward!

Bottom line: It is much easier to design solid solutions that happen to be compliant, rather than to check compliance later and implement remedial controls… oh.. it is also much cheaper in every case I have ever seen.

Bake security in… make cyber risk management part of the DNA of the organization, and one needs not be concerned about what happens with these regulatory efforts. NERC CIP will continue to evolve, and there are a lot of messages in the US and other governments that are very clear…. the power systems WILL be protected. I really look forward to the evolution of these documents and this is an encouraging time with all messages from regulators, operators, and owners pointing to a greater sense of responsibility and willingness to protect our critical infrastructure.

Trackback URI | Comments RSS