Lew Folkerth is still at it!

If you’re involved with the electric power industry and you’ve been reading this blog for a while, you’re undoubtedly familiar with Lew Folkerth. Lew is Principal Reliability Consultant with the RF region of NERC and is probably the most respected authority on the NERC CIP standards. But more importantly, he’s a great teacher on those standards and he places everything he says in the context of cybersecurity and risk management (he’s very knowledgeable about both subjects).

Lew writes a column on NERC CIP in RF’s newsletter, which is published quarterly. Since the newsletters are big files, Lew also publishes his columns separately. You can access them by going here and dropping down the menu for Standards and Compliance at the bottom. Under Outreach, you’ll see a link to every one of his columns since he started writing them in 2014. And BTW, you’ll also see the link to the slides for the talk I gave on SBOMs and CIP-013 compliance at RF’s March Tech Talk.

Most importantly, Lew has just put together, for the first time since 2019, a single file with all of his columns. Here are some of my favorites, starting this year and moving back (page numbers refer to the PDF itself, not the numbers at the bottom of each page):

1. BCSI Revisions  (page 127) – this is an excellent article (published in Q1) discussing the revisions to CIP-004 and CIP-011 to update the protections for BES Cyber System Information, including BCSI in the cloud.
2. Using Advanced IT Technologies in an OT Environment Part 2 – Containers (page 121) – another excellent article that both gives a great introduction to containers and describes how you can utilize containers within your Electronic Security Perimeter, yet still be in compliance with the CIP requirements. I had never thought this was possible.
3. Implied Requirements (page 117) – This is one of the endearing “features” of the NERC CIP requirements – there are so many requirements that are implicit. Because they’re implicit, you can’t receive a violation for missing them, but missing them will put you out of compliance with other requirements. I wrote about implicit requirements several times, including here and here.
4. Incident Response and Incident Management (page 115)
5. CIP-012-1 In-Depth (page 104), followed by a very detailed accompanying article starting on page 106

Of course, if you get hooked on Lew, you should subscribe to the RF newsletter, which has a lot of other interesting articles besides Lew’s columns.

If you’re with a NERC entity or an IT or OT supplier to the power industry, I’d love to have a discussion with you about CIP-013 and supply chain cybersecurity. Please drop me an email.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.