Senior decision-makers come together to connect around strategies and business trends affecting utilities.

Richard Brooks's picture
Co-Founder and Lead Software Engineer Reliable Energy Analytics LLC

Inventor of patent pending (16/933161) technology: METHODS FOR VERIFICATION OF SOFTWARE OBJECT AUTHENTICITY AND INTEGRITY and the Software Assurance Guardian™ (SAG ™) Point Man™ (SAG-PM™)...

  • Member since 2018
  • 1,425 items added with 584,524 views
  • Jan 20, 2022
  • 255 views

This FERC NOPR is further evidence that NERC lacks the cybersecurity skills and knowledge to administer cybersecurity practices. This statement says it all:

Although the currently effective CIP Reliability Standards offer a broad set of cybersecurity protections, they do not address INSM [RJB: network monitoring]. This omission constitutes a gap in the CIP Reliability Standards. Including INSM requirements in the CIP Reliability Standards would ensure that responsible entities maintain visibility over communications between networked devices.

The gap FERC refers to, lack of network monitoring, has been a cybersecurity best practice for well over 20 years. This is why we need to put the cybersecurity experts at CISA in charge of cybersecurity practices across all critical infrastructure. The siloed approach to cybersecurity used by FERC/NERC is leaving the nation's electric grid vulnerable. Let's put our best foot forward on cybersecurity and put the experts at CISA in charge! Let NERC focus on what it does best, grid operation and planning for reliability.

Let CISA work directly with the NERC regional entities to provide guidance and support for CISA's cybersecurity best practices. Eliminate all of the extraneous and wasted labor we call "NERC CIP COMPLIANCE" and replace it with harsh financial penalties on any entity that suffers a cybersecurity breach from failing to follow CISA best practices. This would incentivize real security measures be taken, instead of wasting resources producing compliance paperwork.

 

Discussions
Spell checking: Press the CTRL or COMMAND key then click on the underlined misspelled word.
Matt Chester's picture
Matt Chester on Jan 21, 2022

The siloed approach to cybersecurity used by FERC/NERC is leaving the nation's electric grid vulnerable. Let's put our best foot forward on cybersecurity and put the experts at CISA in charge!

What will it take for the utilty decisionmakers to not think about cybersecurity in this way? Is that something you can regulate?

Richard Brooks's picture
Richard Brooks on Jan 22, 2022

Great question, Matt. IMO, the problem with NERC CIP regulations is that they represent a very low bar for cybersecurity protections because companies want to avoid fines from NERC. Many Companies already implement cybersecurity best practices defined in the NIST CSF, but they also have the extra burden of NERC CIP COMPLIANCE on top of this, that adds no value to cybersecurity controls, above the NIST CSF. NERC compliance efforts are laborious, tedious work that must be done for that day when the NERC auditors show up. It is politically correct to publicly praise NERC CIP, even though it adds no value to cybersecurity protections, if a party already follows NIST CSF best practices. I do not believe NERC CIP regulations are effective at improving cybersecurity protection and should be replaced by guidance from CISA and NIST and harsh financial penalties for any party that suffers a cybersecurity breach from not following the CISA/NIST best practices. No more NERC audits, no more burdensome paperwork - put all that money and effort into implementing real CISA/NIST cybersecurity protections instead and pay the price if you don't. My position on NERC CIP is not politically correct, but I'm confident in this belief.

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »