An entirely new and better approach to measuring risk and compliance allows companies actually to measure this kind of risk—that is, to measure the degrees of compliance regarding actual field...
Weiss makes no bones about his relationship to INEEL (he's under contract to the lab), but he hopes vendors will rise to his challenge. "I'm technology- and vendor-agnostic," Weiss says. "I don't have a product to sell. If [someone's] got a solution, hot damn. But if they do, they should take it out and prove it."
Weiss also finds little comfort in the North American Electric Reliability Council's work on a cyber-security standard. A consultant to NERC's Critical Infrastructure Protection Committee (CIPC), Weiss has choice words for the direction of the council's efforts.
"I'll be very honest with you. Unless NERC 1300 [the upcoming iteration of the NERC standard] gets substantially more detailed, it won't cover most [control systems]. It excludes all nuclear power plants and all distribution systems, and both have had intrusions. And yet, the NERC standard will explicitly exclude both." (Go to )
"People are trying to take a warm, comfy feeling that industry is doing something, and therefore we're better off. [But] when you explicitly exclude a third or more of the electric infrastructure, that shouldn't be a warm comfortable feeling.
"This has been brought up [at the CIPC meetings] and it has been turned down. Distribution has been said to not be under NERC's charter, only DOE told NERC, 'Your charter is the electric industry.' And there's a presidential decision directive that says the Nuclear Regulatory Commission is responsible for nuclear plants. Here's the conundrum. The NRC charter is to ensure that a nuclear plant can shut down and stay down. Their charter is not to keep a nuclear plant up. It's exactly opposite of what we need.
"It is my belief that our executives are not aware of this."
NERC: Defender of All?
NERC's mission of ensuring that "the bulk electric system in North America is reliable, adequate, and secure," has come under increased scrutiny in a post 9-11 world. Critics say that the organization lacks the regulatory authority to be effective.
In fact, in terms of reliability, the organization has openly called for Congress to give it mandatory enforceable reliability authority.
Even as its burden is shared, NERC relies on "reciprocity, peer pressure, and the mutual self-interest of all those" organizations that share its goals.
But Louis G. Leffler, manager of critical infrastructure protection at NERC, believes NERC is well prepared to help the industry prepare for potential threats.
He says the recent release of the 9-11 Commission's report has spurred NERC to greater levels of cooperation across government agencies and the private sector. Furthermore, he adds that initiatives to increase both physical and cyber security at utilities started several years ago under President Bill Clinton.
In 1997, Clinton's Commission on Critical Infrastructure issued a report, which would be followed by the President's Decision Directive 63-indicating the need for more formal critical infrastructure protection "It didn't limit itself to cyber security," Leffler says.
What the Commission Said
With the recent elevation of the terror threat level ahead of U.S. elections this November, the industry is racing to implement the recommendations of the commission's report. "The