Joseph Kelliher was the Chairman of FERC from July 2005 – January 2009 so he had a front row seat to the NERC ERO / FERC / Congress issues and enough time to get perspective from outside the FERC bubble. On April 28th he gave a speech at an Energy Bar Association, and the transcript [...]

Two weeks ago I had a post talking about how CIP affected the security posture of different electric sector owner/operators and promised an attempt at drawing this out. Here it is:

See the Full Size CIP_Effect_Chart
This is based on experience and future expectations, and we cannot claim any scientific methodology. Think of it more as our [...]

NERC has just issued the first Clarification Application Note [CAN] related to the CIP standards. The CAN process should be very helpful for owner/operators, vendors and auditors by removing some of the interpretation on what the standards mean and require. That said, the answers in a CAN may be very unpopular and in some cases [...]

Is CIP improving the security posture of electric sector control systems? I think we have a large enough sample size and time to answer that question now. Like most things in life, it is not a simple yes or no. It is affected by an organizations previous efforts on control system security, intention and time. [...]

ISA’s ISASecure has been working on an Embedded Device Security Assurance certification. We have previously reviewed, see links at the bottom of the post, the Functional Security Assessment and Software Development Security Assessment documents that represented two legs of the three leg certification. What remains is the protocol stack testing that ISASecure has named Communication [...]

We could be looking at highly successful Smart Grid program results that are viewed as failures because of improperly set expectations. Let me explain.
After Distributech in March, I blogged some thoughts on where Smart Grid stood and what the future might bring. It launched interesting discussions with some friends who are intellectually and emotionally invested [...]

Earlier blog entries talked about the ISA Embedded Device Security Assurance Certification and the validation methods for the Functional Security Assessment part of this certification. In this entry I’ll review the as yet unpublished validation columns in the Software Development Security Assurance document. Again, ISASecure has been kind to provide these documents to me and [...]

I recently reviewed the two published drafts for the ISASecure Embedded Device Security Assurance Certification and had a number of comments on how easy or hard it would be for third party testing of the requirements. Since that review ISASecure was kind enough to send another version of the Functional Security Assessment and Software Design [...]

I recently asked Erik Hjelmvik, an old friend who has at least temporarily moved away from control system security, what is going on in Europe with Control System Security beyond the WIB efforts. He sent three links that may be of interest.

European Network Of SCADA Security Test Centres For Critical Energy Infrastructures (ESTEC) is [...]

Last week the ISCI, after quite a long delay, published draft requirements documents for 2 of the 3 legs of the Embedded Device Security Assurance [EDSA] certification. The Software Development Security Assessment and Functional Security Assessment documents are now online for your review. The Communications Robustness Testing draft has not been published yet.
Much like when [...]