Joseph Kelliher was the Chairman of FERC from July 2005 – January 2009 so he had a front row seat to the NERC ERO / FERC / Congress issues and enough time to get perspective from outside the FERC bubble. On April 28th he gave a speech at an Energy Bar Association, and the transcript [...]

Two weeks ago I had a post talking about how CIP affected the security posture of different electric sector owner/operators and promised an attempt at drawing this out. Here it is:

See the Full Size CIP_Effect_Chart
This is based on experience and future expectations, and we cannot claim any scientific methodology. Think of it more as our [...]

NERC has just issued the first Clarification Application Note [CAN] related to the CIP standards. The CAN process should be very helpful for owner/operators, vendors and auditors by removing some of the interpretation on what the standards mean and require. That said, the answers in a CAN may be very unpopular and in some cases [...]

Is CIP improving the security posture of electric sector control systems? I think we have a large enough sample size and time to answer that question now. Like most things in life, it is not a simple yes or no. It is affected by an organizations previous efforts on control system security, intention and time. [...]

The first potentially successful effort in the US to have a control system security standard that had must and shall requirements and an audit plan was NERC CIP for the electric sector. The standards were first written broadly with general security requirements that could be met with a number of implementation choices that a security [...]

NERC issued an advisory on Rockwell Automation PLC/PAC vulnerabilities. It is odd in many ways.
1. There is no new information. This is all old news.
2. So many field devices used in this electric sector have these same or equally important security deficiencies. Are we going to see NERC Advisories on every brand and model? If [...]

We do a lot more work in the generation and transmission side of the electric sector so Distributech is always a welcome show to learn more about the distribution side. And of course this year Smart Grid dominated the show.

One very clear positive result from the NERC CIP standards is substation communications gateway equipment [...]

I have always admired the comments of Michael Toecker on our site and elsewhere, and offered him the opportunity to write an occasional blog entry here when he has something to say. Here is the first of hopefully many from Michael.
Many asset owners in the energy sector are moving past the NERC CIP assessment stage, [...]

Testing has always been part of making changes to a control system. When a change is made (e.g. new component, upgrade, patch), we have to know if everything is still going to work. Progressive asset owners have incorporated a security element into their functional testing for a while now. Some would even argue that it’s [...]

My recent blog post on application whitelisting, and specifically the Bouncer solution, sparked a lot of offline discussion. One of those conversations was with someone who has a significant stake in NERC CIP and agreed to let me post his comments. I try not to get too involved in hair-splitting discussions about standards compliance but [...]