
Utility Management Group
Senior decision-makers come together to connect around strategies and business trends affecting utilities.
Shared Link
CISA Identifying Critical Infrastructure
Are you a PSIE's ("primary systemically important entities”).
I find it encouraging that CISA is working to provide a baseline set of cybersecurity practices that will apply across PSIEs within critical infrastructure. The inter-dependencies across critical infrastructure are well known. Every critical infrastructure operation requires electricity and electricity is dependent on fuel supplies that are transported by pipelines, trucks, trains and ships. Communications are also critical for proper operation of the electric grid. We must protect all critical infrastructure PSIEs at a baseline cybersecurity level in order to prevent a domino effect type of failure.
Some say that we have NERC CIP for this purpose. I disagree, NERC CIP only applies to a fragment of the electric grid, i.e. the bulk power system, and does not cover the entire electric grid. NERC CIP is also labor intensive and has been designed for compliance, not cybersecurity best practices. For example, consider NERC's 15 minute rule or the guidance that allows a company to install software when it's software supplier cannot be identified, so long as this fact is documented, it will pass a NERC audit. I would never install a software package when a party cannot verify the source supplier (ref NERC RSAW for CIP-010 page 16 Note to Auditor). That is simply bad guidance, if your goal is real cybersecurity protection and preventing harmful software from being installed.
We need to protect the entire electric grid and all critical infrastructure. It's time to put our best cybersecurity team on the field, NIST and CISA, to drive cybersecurity policies and practices across all critical infrastructure and eliminate siloed and inferior approaches to cybersecurity, such as NERC CIP.
CISA Identifying Critical Infrastructure
Earlier this week there was an interesting article over on InfoRiskToday.com. It talked about CISA’s establishing a program to identify cri...
Get Published - Build a Following
The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.
If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.
Sign in to Participate