Assante Throws Down the Gauntlet on CIP-002
NERC entities declaring no critical assets may want to take another look at their risk based assessment methodologies. Michael Assante, NERC CSO, issued a letter to industry today that challenges self certification survey results that show only 31 percent of all entities declared at least on critical asset. Only 23 percent reported having at least one critical cyber asset. I don’t think there is anyone who can justify numbers that low. (Although I would be interested to hear it!)
Assante does take a moment to see the bright side:
…these figures are indicative of progress toward one of the goals of the existing CIP standards: to prioritize asset protection relative to each asset’s importance to the reliability of the bulk electric system. Ongoing standards development work on the CIP standards seeks to broaden the net of assets that would be included under the mandatory standards framework in the future, but this prioritization is an important first step to ensuring reliability.
But he then addresses the reality that many of the entities my not have gotten the “cyber security paradigm” that always comes up in the philosophical discussions of CIP-002. He puts it very eloquently but here’s the one sentence version: it’s not just about the loss of an asset, it’s about what happens if an attacker gains control of that asset.
Will Assante’s letter be a wake up call that saves the CIP efforts or is this the straw that breaks the camel’s back and ushers in a new regulatory approach? Those who have been vocal opponents of the CIP standards may have an “I told you so” moment. But then again, the “compliance does not equal security” sword can be double-edged. What if there are entities that have ramped up security efforts because of NERC CIP but didn’t declare any CA’s or CCA’s for any number of reasons? Impossible to measure but anecdotally I know of several places where this is true.
Regardless of what happens, something does need to be done to clarify CIP-002. I think Assante’s letter is a turning point for the NERC CIP standards and am anxious to see what unfolds.
Author: Jason Holcomb
Posted: April 7th, 2009 under NERC CIP.
Comments: 4
Comments
Comment from Orlando Stevenson
Time: April 7, 2009, 9:56 pm
Yes – the letter is an attention getter. And bolstering CIP-002 with the clarification it deserves is overdue to ultimately result in an outcome of “a comprehensive list of all assets critical to the reliability of the bulk electric system.” Assante’s comments about how important it is to use a methodology that appropriately “rules out” CAs (instead of just ruling some in) is spot on as well. Risk informed compliance starts with such assessments- and the upcoming workshops outlined should also help move the industry forward. This letter may well represent “the” pivotal turning point that’s none too soon for the industry and NERC itself. No doubt there will be more to follow in 2009 marked with challenging opportunities to provide more congressional testimony explaining progress- or lack thereof. The spotlight is warming up- 2009 is show time for NERC CIPs.
Comment from Jake Brodsky
Time: April 8, 2009, 2:45 pm
In the past, I have pointed out fundamental philosophical differences with the way CIP-002 was written. In my opinion, it is a clumsy approach and it is inadequate.
Nevertheless, what many in the electric industry did was even worse: They fed this document to their corporate attorneys and asked them for ways to weasel out of these requirements.
So they did. If NERC escapes this one without a regulatory effort from FERC, I’ll be surprised.
Comment from CallBEFOREYouDig
Time: April 8, 2009, 9:27 pm
Option 1: Invest in cyber security.
Option 2: Invest in massive compliance effort. Expose your company to risk of huge fines, based on requirements that are subject to various, arbitrary interpretations. Forget about tailoring the solution to match the situation (the point of the technical exception process is to ensure that technical exceptions are, at best, a last, desperate, resort).
How do you choose your option? Well, you get to make the rules, because any organization that might have been considered competent to make this determination was allowed to cut and run. So, companies pretty much have a fiduciary duty to their shareholders to define rules that chose Option 1.
Comment from Gary Hinson
Time: April 9, 2009, 4:31 am
Shut down the remaining 69%, since they are non-critical. Save money! 
Write a comment