Welcome to the new Energy Central — same great community, now with a smoother experience. To login, use your Energy Central email and reset your password.

Intelligent Utility
Richard "Dick" Brooks
Richard "Dick" Brooks
Expert Member
Top Contributor
·Posted in Intelligent Utility
Sat, Jan 29

Richard (Dick) Brooks on LinkedIn: FERC proposes internal monitoring requirements for bulk electric facilities

What gives FERC the impression that energy companies aren't already following best practices for cybersecurity, per NIST guidelines, and they need to address a "gap" in cybersecurity protections by mandating 20 year old practices and technologies as "NERC CIP" standards? In my experiences, working with energy companies since 1990, these companies take cybersecurity very seriously. In fact, I've never worked with a single company that didn't have some form of cybersecurity policies in place. Reading the Utility Dive article you might get the impression that Energy companies are inept at cybersecurity. Nothing is further from the truth in my experiences. This NOPR will not improve cybersecurity protections for companies that already follow NIST best practice guidelines, but it will increase the burdensome paperwork these energy companies will have to maintain for their next NERC CIP audit. What a terrible waste of cybersecurity resources.

IMO, this looks like another attempt to bolster business for Dragos at the expense of the entities under NERC jurisdiction. FERC should be looking for ways to relieve NERC of it's CIP roles/responsibilities and adopt cybersecurity best practices from our Nations cybersecurity experts at CISA and NIST. Let NERC focus on what it does best, reliability standards for grid operations and planning - that's where NERC excels. Let's put our best foot forward on cybersecurity for all critical infrastructure by putting CISA in charge of cybersecurity policies and practices for all critical infrastructure and stop the "siloed" cybersecurity approach we call NERC CIP. Here again the words of Tom O'Brien's Senate Testimony are compelling: "Partnership and collaboration are essential to any cybersecurity or physical security program. The importance of working across the industry, and with our state and federal government partners – and even across other critical infrastructures like telecom, finance, water and gas – to share threat information and best practices cannot be overstated. Threat intelligence and learning from others in relation to threats and prevention is critical to managing any cybersecurity program."

This NERC/Dragos relationship appears to have gone overboard; "with love" - please!