Operations personnel at many energy companies feel the pressure of achieving compliance with the NERC CIP standards. Some worry that they are not aware of the problems and security incidents that...
Deadline Looms for New Cyber-Security Standard
NERC's proposal has the industry scrambling.
As the balloting process for new cyber-security standards from the North American Electric Reliability Council (NERC) drew to a close, the industry group was gearing up for the difficult tasks ahead: ensuring rapid implementation of the new standards among NERC's members.
The new standards are scheduled for approval no later than Nov. 1, 2005, with compliance assessments to follow in 2006.
"Everybody would like to have [complied] yesterday, but the reality of it is that it's going to be a couple of years out before real compliance is there," says Dave Harries, system administrator with Pacificorp.
But first the new NERC standards, CIP-002-1 (Critical Infrastructure Protection) through CIP-009-10, need to be approved by NERC's membership-with the final balloting process scheduled shortly after press time for this article. The new standards advance and expand upon the NERC 1200 standard, adopted by NERC in August 2003, following approval by the industry in July 2003, although the timing of the approval, not too long after the Sept. 11, 2001, terrorist attacks, wasn't tied to those attacks.
"[Approval] did happen after 9/11, but it really had to do with the growing threats to our infrastructure, or the recognition of the threats, and the increasing vulnerabilities that we were facing because of the new technology that was being introduced," says NERC Chief Information Officer Lynn Constantini. "That [standard] was really just to raise awareness and bring all of the different entities within our sector that had some involvement in the bulk electric grid in reliability up to the same level playing field, minimal level of security. Once we were assured that everybody was doing at least the minimum, then we went and took the next step."
However, the industry continues working with the NERC 1200 standard while the new standards (formerly dubbed NERC 1300) remain open to "lots of comment from anybody who's interested," Constantini says. The CIP standards were, at press time, in their third round of public review and comment, while NERC tried to amend its rules to extend 1200 past its scheduled August expiration.
"We have made, I think, a demonstrable effort and significant progress toward the 1300. However, we're not done," Constantini says. "We haven't built a significant enough consensus.
"NERC believes so strongly that cyber-security standards are important for securing our infrastructure and protecting reliability that we do not want a gap in our protection. That's why we want to change the process to allow 1200 to be extended again. That's only because we have been making progress on the 1300."
Why the drawn-out process? Constantini says the new CIP standards "significantly expand" the scope of the earlier standard, "and that has people worried." She also acknowledges a lack of clarity in the language used in earlier versions of the standard. "For people to understand what it is that was going to be required of them, it's incumbent upon the drafting team to do a very good job. Definitions were vague as