I received a few e-mails on my last entries enthusiastic support for NERC 1300. I agree that the 1300 document has much less detail than many of the other efforts, such as ISA’s SP99, and the document is still rough in many areas. The current draft received over 700 pages of comments.

The reason I like this document is it has a very good chance of improving the security posture of the bulk electric systems in the near term. It’s simplicity and clear requirements are achievable. Here are some examples:

- “Responsible entities must identify the information access limitations related to critical cyber assets based on clasification levels”. The wording needs a little work, but defining classification levels and access control is a very positive step.

- “This person must authorize any deviation or exception from the requirements of this standard. Any such deviation or exception and its authorization must be documented”. It may not be possible to implement the policy fully, but this requirement makes it a conscious decision to deviate from the standard. And there will be a periodic review of the exceptions.

- “Responsible entities shall review access rights to critical cyber assets to confirm they are correct …” We often see a variety of old accounts in systems and unauthorized access.

- “The responsible entity shall perform an assessment of the information security protection program to ensure compliance with the documented processes at least annually.” An annual audit - - tremendous.

There are many more simple and powerful requirments in this document.

Some of the common complaints on this document is it should be more detailed on the requirements to prevent organizations from implementing weak controls that are yet compliant. Hopefully we will get to a detailed standard, but this is a much harder task. In the banking world the detailed standards efforts were achieved by focusing on smaller components of the system, e.g. a security standard for an ATM transaction, another for the crypto module, another for the wholesale banking transactions, etc.

What is in this document could be accomplished by most users with a process control network. It would be very hard to be compliant with this document and not improve the security posture.

Finally, the document requires a member of senior management to lead the effort and sign off on compliance. This goes a long way to solving the business case problem. It would be a requirement for the covered entities just lik G-L-B is for banks and SOX is for public corporations.