Testing has always been part of making changes to a control system. When a change is made (e.g. new component, upgrade, patch), we have to know if everything is still going to work. Progressive asset owners have incorporated a security element into their functional testing for a while now. Some would even argue that it’s [...]

My recent blog post on application whitelisting, and specifically the Bouncer solution, sparked a lot of offline discussion. One of those conversations was with someone who has a significant stake in NERC CIP and agreed to let me post his comments. I try not to get too involved in hair-splitting discussions about standards compliance but [...]

I recently added an article into SCADApedia that maps Portaledge functionality into NERC CIP requirements. As Portaledge leverages OSI Soft’s PI product, which has huge presence in the electrical segment, deploying Portaledge to assist in meeting compliance for some of the NERC standards is an easy decision.
NERC CIP Requirements that Portaledge can assist in [...]

The NERC CIP cyber security work in the electric sector has been fast and furious as deadlines approach, as have the comments on the value, or lack thereof, of this effort. I am very confident in the following two conclusions based on working with many of the asset owners and vendors. They are so obvious, [...]

The Thompson – Lieberman Bill is a modest legislative effort designed to give FERC more authority to regulate the bulk electric system, and is in fact an amendment to the Federal Power Act. This is not a surprise because a few congressmen and women asked FERC if they needed more authority in a leading way [...]

NERC entities declaring no critical assets may want to take another look at their risk based assessment methodologies. Michael Assante, NERC CSO, issued a letter to industry today that challenges self certification survey results that show only 31 percent of all entities declared at least on critical asset. Only 23 percent reported having at least [...]

Tom Flowers of Flowers Control Center Solutions sent me this interesting thought which I’m posting with his approval.
—–
“The Conficker worm – a malicious computer program that already has infected as many as 15 million computers worldwide, including at least five federal agencies …”.
Everyone has seen this statement flash across the news landscape recently. While [...]

Against the wishes of NEI and many operators, FERC published an order today regarding NERC CIP standard applicability in nuclear plants. To save you 32 pages of reading, I’ll attempt to summarize here.

There was an apparent gap in regulation as nuclear facilities were explicitly exempted in the CIP standards but not all cyber assets with [...]

If you followed the Aurora vulnerability or are involved in the nuclear energy sector, then Timothy Roxey is a name that you will certainly recognize. NERC announced this week that he will be coming on board in a newly-created role — Manager of Critical Infrastructure Protection. He’ll be working with CSO Michael Assante on CIP [...]

Joe Weiss lays out an argument for regulation in the Unfettered blog today. I mostly agree with him on this point…
One would expect that a vulnerability as significant as this with such wide-spread notification and notoriety would be addressed post-haste. WRONG! One would at least think that the information would be made available to cognizant [...]