Are you a PSIE's ("primary systemically important entities”).

I find it encouraging that CISA is working to provide a baseline set of cybersecurity practices that will apply across PSIEs within critical infrastructure. The inter-dependencies across critical infrastructure are well known. Every critical infrastructure operation requires electricity and electricity is dependent on fuel supplies that are transported by pipelines, trucks, trains and ships. Communications are also critical for proper operation of the electric grid. We must protect all critical infrastructure PSIEs at a baseline cybersecurity level in order to prevent a domino effect type of failure.

Some say that we have NERC CIP for this purpose. I disagree, NERC CIP only applies to a fragment of the electric grid, i.e. the bulk power system, and does not cover the entire electric grid. NERC CIP is also labor intensive and has been designed for compliance, not cybersecurity best practices. For example, consider NERC's 15 minute rule or the guidance that allows a company to install software when it's software supplier cannot be identified, so long as this fact is documented, it will pass a NERC audit. I would never install a software package when a party cannot verify the source supplier (ref NERC RSAW for CIP-010 page 16 Note to Auditor). That is simply bad guidance, if your goal is real cybersecurity protection and preventing harmful software from being installed.

We need to protect the entire electric grid and all critical infrastructure. It's time to put our best cybersecurity team on the field, NIST and CISA, to drive cybersecurity policies and practices across all critical infrastructure and eliminate siloed and inferior approaches to cybersecurity, such as NERC CIP.