Bryan Owen and Ralph Langner had great comments on our recent NERC CIP, Non-US Utilities and Security article. Here is an extended version of my response and comment.
NERC CIP has certainly provided some useful data points and leads to what I believe are some obvious conclusions. In fact, they are so obvious that we should have known them going in, but this is 20/20 hindsight.
1) A sector cannot be reasonably expected to produce and maintain regulations that cause action and expense they believe are not in their self interest.
1a) If the majority of BES entities believed security was required to maintain the stability of the grid and their revenue streams they would require security standards so that the odd operator who did not believe a similar level of security was required would not affect the entire grid.
I’m not a power engineer, but I’m guessing there are some NERC reliability standards that most members view as necessary, are stringent and enforced.
1b) If the majority of BES entities believe security is unnecessary and regulation cannot be totally avoided, then the logical action is to remove as much regulation as possible since compliance adds cost and increases financial risk. The most efficient way to do this is to reduce what is in scope to be regulated. The utilities are acting logically and as we should expect based on their current beliefs.
2) The bottom up approach to convince C-level executives has not worked. I have met individuals in most BES entities that seriously care about cyber security, but they tend to be very lonely in the majority of the companies.
2a) It may be unfair to totally discount a bottom up approach because the vast majority of the engineers and operators do not yet support the need for security. We have not yet seen a test where a concerted and consistant bottom up message has been presented to senior management.
2b) It is likely easier to convince one or a small number of C-level executives that they need to focus on cyber security than large numbers of engineers and operators.