Part of EnergyBiz® Network »

Utility Management Group

Senior decision-makers come together to connect around strategies and business trends affecting utilities.

Shared Link

FERC oversight of pipeline reliability NOPR

Richard Brooks's picture
Richard Brooks 100,830
Co-Founder and Lead Software Engineer Reliable Energy Analytics LLC

Dick Brooks is the inventor of patent 11,374,961: METHODS FOR VERIFICATION OF SOFTWARE OBJECT AUTHENTICITY AND INTEGRITY and the Software Assurance Guardian™ (SAG ™) Point Man™ (SAG-PM™) software...

  • Member since 2018
  • 1,530 items added with 668,503 views
  • Jan 20, 2022
  • 355 views

This FERC NOPR is further evidence that NERC lacks the cybersecurity skills and knowledge to administer cybersecurity practices. This statement says it all:

Although the currently effective CIP Reliability Standards offer a broad set of cybersecurity protections, they do not address INSM [RJB: network monitoring]. This omission constitutes a gap in the CIP Reliability Standards. Including INSM requirements in the CIP Reliability Standards would ensure that responsible entities maintain visibility over communications between networked devices.

The gap FERC refers to, lack of network monitoring, has been a cybersecurity best practice for well over 20 years. This is why we need to put the cybersecurity experts at CISA in charge of cybersecurity practices across all critical infrastructure. The siloed approach to cybersecurity used by FERC/NERC is leaving the nation's electric grid vulnerable. Let's put our best foot forward on cybersecurity and put the experts at CISA in charge! Let NERC focus on what it does best, grid operation and planning for reliability.

Let CISA work directly with the NERC regional entities to provide guidance and support for CISA's cybersecurity best practices. Eliminate all of the extraneous and wasted labor we call "NERC CIP COMPLIANCE" and replace it with harsh financial penalties on any entity that suffers a cybersecurity breach from failing to follow CISA best practices. This would incentivize real security measures be taken, instead of wasting resources producing compliance paperwork.

 

FERC oversight of pipeline reliability NOPR

The Federal Energy Regulatory Commission issued a cybersecurity NOPR today directing North American Electric Reliability Corporation (NERC) to add "network monitoring" as a CIP standard. The real question is, why wasn't this function included in NERC CIP on day 1; network monitoring is a fundamental cybersecurity practice that has been in use for over 20 years. This NOPR is further proof that NERC lacks the cybersecurity expertise to define and administer effective cybersecurity policy. It's time to put the real cybersecurity experts at CISA in charge of all grid, and critical infrastructure cybersecurity practices.

Read More
Source: www.linkedin.com
Discussions
Matt Chester's picture
Matt Chester on Jan 21, 2022

The siloed approach to cybersecurity used by FERC/NERC is leaving the nation's electric grid vulnerable. Let's put our best foot forward on cybersecurity and put the experts at CISA in charge!

What will it take for the utilty decisionmakers to not think about cybersecurity in this way? Is that something you can regulate?

Richard Brooks's picture
Richard Brooks on Jan 22, 2022

Great question, Matt. IMO, the problem with NERC CIP regulations is that they represent a very low bar for cybersecurity protections because companies want to avoid fines from NERC. Many Companies already implement cybersecurity best practices defined in the NIST CSF, but they also have the extra burden of NERC CIP COMPLIANCE on top of this, that adds no value to cybersecurity controls, above the NIST CSF. NERC compliance efforts are laborious, tedious work that must be done for that day when the NERC auditors show up. It is politically correct to publicly praise NERC CIP, even though it adds no value to cybersecurity protections, if a party already follows NIST CSF best practices. I do not believe NERC CIP regulations are effective at improving cybersecurity protection and should be replaced by guidance from CISA and NIST and harsh financial penalties for any party that suffers a cybersecurity breach from not following the CISA/NIST best practices. No more NERC audits, no more burdensome paperwork - put all that money and effort into implementing real CISA/NIST cybersecurity protections instead and pay the price if you don't. My position on NERC CIP is not politically correct, but I'm confident in this belief.

Richard Brooks's picture
Thank Richard for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »

Your access to Member Features is limited.

Apply for membership
Related Content
“NOASSERTION”? No problem!
Shareholders Can Sue Corporate Officers for Breach of Duty of Oversight in landmark Ruling — CISOs and CPOs, You Listening?
Green Hydrogen: Nova Scotia Legislative Developments
The surprising key to a clean energy future
Recent Comments
Mark Silverstone
Mark commented on ...
Wind turbines around the world are ‘collapsing at an alarming rate'
Unfortunately, the article that goes with the headline is not accessible to most readers.
David Walter
David commented on ...
New Zealand and California ink deal to cooperate on climate
Interesting news item. Thanks for sharing!
Mark Silverstone
Mark commented on ...
Study: Conn. electric bills highest in continental U.S.
Oh my! Where oh where do you get your information?  
Mark Silverstone
Mark commented on ...
Scrub Hub: Passing a wind farm, I see some turbines spinning and others motionless. Why?
Thank you for that! I have often wondered the same thing.