I’ve been involved to varying degrees with security standards efforts for way too long now - - almost twenty years. Most recently with the ISA 99 Part 4 effort. For a while I was actively involved in that effort in support of a contract with Wurldtech. When Bryan Singer joined Wurldtech that did not make […]

I’m sure many of you have been spammed by an email from TDI about a “NERC CIP Cyber Asset Alert”. I personally received three alert emails plus a blog spam. We get a lot of this type of material, but this one topped anything we have received lately in pure FUD and hype to promote […]

The ISA99 WG4 was discussing a security methodology called BSI IT grundschutz that was new to me. Hans Daniel provided a very concise and useful summary that he kindly allowed us to post on the blog.
UPDATE: A link to the English version of IT grundshutz courtesy of Stephan Beirer.
For the fast reader

The IT grundschutz methodology […]

Just a quick note. Want to help improve the NERC CIP cyber security standards? They are looking for industry experts to assist. Nominate yourself before April 4th.

Since leaving my post at a utility company and joining the Digital Bond team, my attention level to the NERC CIP saga has dropped off a bit. I’m back up to date now, though, after attending the SPP CIPWG meeting earlier this week. (SPP is the RTO and RE in my part of the […]

Your tax dollars at work… A Sandia National Labs worker who used her computer access and position to “cyber-stalk” rock star Chester Bennington (of Linkin Park fame) was sentenced to two years in prison last week. This took place over the course of nearly a year in 2006 and involved hacking several of Bennington’s […]

There has been discussion in the community on whether control systems are in the Sarbanes Oxley (SOX) scope.
We have never been comfortable with the level of detail or expertise in the discussion, and the last thing the community needs is more uncertainty about security related regulations. So we found an expert with a background in […]

 

 SOX and Control Systems: Play Now | Play in Popup | Download

Today FERC approved the NERC/ERO CIP cyber security standards for the electric industry. This was the right decision to avoid derailing progress.
What is most impressive are the comments in the press release and final rule.
They directed modifications and improvements. This is the Version 1.0, and it will get better and more stringent. Basically NERC/NRO needs […]

After the furor of Aurora and the Congressional hearings FERC is proposing to collect “information in connection with steps being taken by the electric industry to address potential cyber vulnerabilities”. The proposing part of this equation has to do with the FERC rulemaking procedure and requirements for public comment which I don’t claim to be […]

December 1. Can you believe it is only 7 months until Balancing Authorities and Transmission Operators who were required to self-certify to NERC 1200 will need to be compliant with 13 NERC CIP requirements? (hat tip: Ron Blume of Dyonyx).
Some of the 30 June 2008 requirements are:

Test procedures for significant patches and upgrades. This […]