This group is the default community for every Energy Central registered member. We discuss and share a variety of topics related to the global power industry. 


Lessons Learned: NERC’s $10M Enforcement Action

image credit: Source: (CC0 License)
Jeff Pack's picture
Senior Project Engineer POWER Engineers

Jeff Pack, CISSP, is an industry-experienced leader and technical expert in the cybersecurity field, including program development, consulting and operations. He currently serves as POWER...

  • Member since 2018
  • 22 items added with 14,252 views
  • Feb 20, 2019

The recent enforcement action published by the North American Electric Reliability Corporation (NERC) against Duke Energy has raised questions regarding the best cybersecurity risk management strategy for electric utilities.

Generally, an electric utility’s cybersecurity program aims to balance effective security alongside efficient operations, with cybersecurity controls focused on three major areas:

• Prevention
• Detection
• Response/Recovery

In comparison, the NERC Critical Infrastructure Protection (CIP) Standards emphasize prevention and the importance of maintaining a known baseline configuration. While this is an effective strategy after enough time and maturity, it’s strong emphasis on compliance naturally requires significant investments in resources and training.

As threats against electric utilities becomes increasingly dynamic and harder to prevent due to the rising complexity of systems, there must also be an increased focus on threat prioritization and the detection and response/recovery security controls. The NERC CIP Standards do seem to recognize this trend with the increased allowance of risk-based implementations in the more recent standards, but this fine would indicate a strong preference for prevention security controls and only minimal recognition for detection and response/recovery controls.

Clearly, this action and fine will drive changes in Duke Energy’s NERC CIP compliance program, but the resulting changes may be focused on prevention rather than detection and response/recovery areas. In the interest of comprehensive risk management, the overall strategy for cybersecurity risk management must start to embrace threat prioritization with emphasis on detection and response/recovery from cybersecurity events.

Jeff Pack's picture
Thank Jeff for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member
Spell checking: Press the CTRL or COMMAND key then click on the underlined misspelled word.

No discussions yet. Start a discussion below.

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »