- Oct 4, 2021 8:03 pm GMT
There are several good reasons to rethink the current cybersecurity paradigm to protect the entire electric Grid:
- NERC policies are limited to the Bulk Electric System only; this becomes a bigger issue as more DER comes onto the Grid, per FERC Order 2222. These DER devices should also be protected against cyber threats, which NERC does not cover today
- NERC's 15 minute rule used to decide which assets are subject to cybersecurity requirements enables threat actors to use tactics, techniques and procedures that "get around" the 15 minute rule by implementing attacks that occur outside of the 15 minute window. The 15 minute rule is bad for grid cybersecurity. All grid cybersecurity risks with a high potential impact and high likelihood, following NIST standards, should be addressed, regardless of how long the risk takes to manifest in grid impacts.
- NERC E-ISAC is a closed community that does not allow cyber security information reporting and dissemination with parties outside of NERC BES. Incident reporting is critically important to helping secure the grid; legislation is proceeding in Congress that will make CISA the reporting entity for cyber incidents across all critical infrastructure, not just the BES as NERC provides.
- NERC lacks the level of cybersecurity expertise that exists with CISA. CISA has the cybersecurity experts that the entire Nation depends on. It makes sense to put our cybersecurity experts at CISA in charge of cybersecurity policies to protect the electric grid, in its entirety, along with other interdependent critical infrastructure, i.e. Gasoline, Oil, Natural Gas, Communications, Transportation, Water, Healthcare and others.
I agree with FERC Chairman Glick, it's time to rethink cyber security policies and administration across the BES and indeed the entire electric grid.
No discussions yet. Start a discussion below.