SCADApedia
AAA  AAA 

Archive for 'NERC CIP'

Ex-FERC Chair Kelliher with Interesting FERC/NERC Comments

Joseph Kelliher was the Chairman of FERC from July 2005 – January 2009 so he had a front row seat to the NERC ERO / FERC / Congress issues and enough time to get perspective from outside the FERC bubble. On April 28th he gave a speech at an Energy Bar Association, and the transcript [...]

The CIP Effect Curve – Take II

Two weeks ago I had a post talking about how CIP affected the security posture of different electric sector owner/operators and promised an attempt at drawing this out. Here it is:

See the Full Size CIP_Effect_Chart
This is based on experience and future expectations, and we cannot claim any scientific methodology. Think of it more as our [...]

Emergency Remote Access Clarification / CIP

NERC has just issued the first Clarification Application Note [CAN] related to the CIP standards. The CAN process should be very helpful for owner/operators, vendors and auditors by removing some of the interpretation on what the standards mean and require. That said, the answers in a CAN may be very unpopular and in some cases [...]

The CIP Effect Curve

Is CIP improving the security posture of electric sector control systems? I think we have a large enough sample size and time to answer that question now. Like most things in life, it is not a simple yes or no. It is affected by an organizations previous efforts on control system security, intention and time. [...]

FISMA / SP800-53 is not Utopia?

The first potentially successful effort in the US to have a control system security standard that had must and shall requirements and an audit plan was NERC CIP for the electric sector. The standards were first written broadly with general security requirements that could be met with a number of implementation choices that a security [...]

Odd NERC Advisory

NERC issued an advisory on Rockwell Automation PLC/PAC vulnerabilities. It is odd in many ways.
1. There is no new information. This is all old news.
2. So many field devices used in this electric sector have these same or equally important security deficiencies. Are we going to see NERC Advisories on every brand and model? If [...]

Distributech Thoughts and Items

We do a lot more work in the generation and transmission side of the electric sector so Distributech is always a welcome show to learn more about the distribution side. And of course this year Smart Grid dominated the show.

One very clear positive result from the NERC CIP standards is substation communications gateway equipment [...]

Implementing CIP Security Controls

I have always admired the comments of Michael Toecker on our site and elsewhere, and offered him the opportunity to write an occasional blog entry here when he has something to say. Here is the first of hopefully many from Michael.
Many asset owners in the energy sector are moving past the NERC CIP assessment stage, [...]

Using Bandolier and Nessus for CIP-007 R1 Testing

Testing has always been part of making changes to a control system. When a change is made (e.g. new component, upgrade, patch), we have to know if everything is still going to work. Progressive asset owners have incorporated a security element into their functional testing for a while now. Some would even argue that it’s [...]

NERC CIP and Application Whitelisting Redux

My recent blog post on application whitelisting, and specifically the Bouncer solution, sparked a lot of offline discussion. One of those conversations was with someone who has a significant stake in NERC CIP and agreed to let me post his comments. I try not to get too involved in hair-splitting discussions about standards compliance but [...]