SCADApedia
AAA  AAA 

Bravo FERC!

Today FERC approved the NERC/ERO CIP cyber security standards for the electric industry. This was the right decision to avoid derailing progress.

What is most impressive are the comments in the press release and final rule.

They directed modifications and improvements. This is the Version 1.0, and it will get better and more stringent. Basically NERC/NRO needs to modify the standard to address a lot of the requests in the NOPR and resubmit. They also dealt with the CIP v. NIST issue realistically to gain the benefits of NIST work while avoiding confusion and delay.

The final rule also directs NERC to monitor the development and implementation of cyber security standards by the National Institute of Standards and Technology (NIST) to “determine if they contain provisions that will protect the Bulk-Power System better than the CIP Reliability Standards,” FERC said. But FERC did not direct NERC to adopt the NIST standards because that could lead to possible delays in putting into place any mandatory and enforceable standards.

This became a political football, and it is comforting that a multi-year effort was not scrapped right when its benefits were being realized.

Author: Dale Peterson
Posted: January 17th, 2008 under NERC CIP.
Comments: 2

Comments

Comment from Elec User
Time: January 17, 2008, 5:21 pm

Bravo? NERC approved the same set of standards in July 2006. FERC has caused the industry to expend much additonal effort, that could have been applied to actually securing the BES, by dragging this out. An earlier adoption would have allowed for much of the currently discussed matters to be in the standards development process. The same people that work in the industry to secure the BES are the same people that get taken off of their regular assignments to respond to each FERC/NERC/other publication and request.

Comment from Jake Brodsky
Time: January 17, 2008, 8:32 pm

The handwriting is on the wall. If you are making longer term plans for security and system design, you’d be wise to use the NIST 800-53 methodologies instead of CIP-002. FERC is looking for ammunition to shoot at CIP-002. Apparently they didn’t hear enough outcry from Notice of Proposed Rulemaking. I figure its only a matter of time before they do.

Of course, I could be wrong about this. It may take many years and several minor hacks before a major disaster causes people to sit up and take notice.

Write a comment