Lessons Learned: NERC’s $10M Enforcement Action
- Feb 20, 2019 7:37 pm GMT
The recent enforcement action published by the North American Electric Reliability Corporation (NERC) against Duke Energy has raised questions regarding the best cybersecurity risk management strategy for electric utilities.
Generally, an electric utility’s cybersecurity program aims to balance effective security alongside efficient operations, with cybersecurity controls focused on three major areas:
In comparison, the NERC Critical Infrastructure Protection (CIP) Standards emphasize prevention and the importance of maintaining a known baseline configuration. While this is an effective strategy after enough time and maturity, it’s strong emphasis on compliance naturally requires significant investments in resources and training.
As threats against electric utilities becomes increasingly dynamic and harder to prevent due to the rising complexity of systems, there must also be an increased focus on threat prioritization and the detection and response/recovery security controls. The NERC CIP Standards do seem to recognize this trend with the increased allowance of risk-based implementations in the more recent standards, but this fine would indicate a strong preference for prevention security controls and only minimal recognition for detection and response/recovery controls.
Clearly, this action and fine will drive changes in Duke Energy’s NERC CIP compliance program, but the resulting changes may be focused on prevention rather than detection and response/recovery areas. In the interest of comprehensive risk management, the overall strategy for cybersecurity risk management must start to embrace threat prioritization with emphasis on detection and response/recovery from cybersecurity events.
No discussions yet. Start a discussion below.
Get Published - Build a Following
The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.
If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.