The mission of this group is to bring together utility professionals in the power industry who are in the thick of the digital utility transformation. 


Lew Folkerth is still at it!

Tom Alrich's picture
Supply chain Cyber Risk management - emphasis on SBOMs and VEX documents, Tom Alrich LLC

I provide consulting services in supply chain cybersecurity risk management and am now primarily focused on software bills of materials (SBOMs) and VEX (Vulnerability Exploitability eXchange). I...

  • Member since 2018
  • 426 items added with 154,667 views
  • Apr 25, 2022


If you’re involved with the electric power industry and you’ve been reading this blog for a while, you’re undoubtedly familiar with Lew Folkerth. Lew is Principal Reliability Consultant with the RF region of NERC and is probably the most respected authority on the NERC CIP standards. But more importantly, he’s a great teacher on those standards and he places everything he says in the context of cybersecurity and risk management (he’s very knowledgeable about both subjects).

Lew writes a column on NERC CIP in RF’s newsletter, which is published quarterly. Since the newsletters are big files, Lew also publishes his columns separately. You can access them by going here and dropping down the menu for Standards and Compliance at the bottom. Under Outreach, you’ll see a link to every one of his columns since he started writing them in 2014. And BTW, you’ll also see the link to the slides for the talk I gave on SBOMs and CIP-013 compliance at RF’s March Tech Talk.

Most importantly, Lew has just put together, for the first time since 2019, a single file with all of his columns. Here are some of my favorites, starting this year and moving back (page numbers refer to the PDF itself, not the numbers at the bottom of each page):

  1. BCSI Revisions  (page 127) – this is an excellent article (published in Q1) discussing the revisions to CIP-004 and CIP-011 to update the protections for BES Cyber System Information, including BCSI in the cloud.
  2. Using Advanced IT Technologies in an OT Environment Part 2 – Containers (page 121) – another excellent article that both gives a great introduction to containers and describes how you can utilize containers within your Electronic Security Perimeter, yet still be in compliance with the CIP requirements. I had never thought this was possible.
  3. Implied Requirements (page 117) – This is one of the endearing “features” of the NERC CIP requirements – there are so many requirements that are implicit. Because they’re implicit, you can’t receive a violation for missing them, but missing them will put you out of compliance with other requirements. I wrote about implicit requirements several times, including here and here.
  4. Incident Response and Incident Management (page 115)
  5. CIP-012-1 In-Depth (page 104), followed by a very detailed accompanying article starting on page 106

Of course, if you get hooked on Lew, you should subscribe to the RF newsletter, which has a lot of other interesting articles besides Lew’s columns.

If you’re with a NERC entity or an IT or OT supplier to the power industry, I’d love to have a discussion with you about CIP-013 and supply chain cybersecurity. Please drop me an email.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at


No discussions yet. Start a discussion below.

Tom Alrich's picture
Thank Tom for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member

Get Published - Build a Following

The Energy Central Power Industry Network® is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »