State commissions can select from a toolkit of regulatory approaches to promote desired utility cybersecurity behavior. One approach is to allow the industry to selfregulate, and another approach...
Cyber Attack! CIP Goes Live
Utilities are gearing up for cyber security compliance. Will the standards prove worthy?
When Alison Silverstein limped into an Arlington, Va., hotel meeting room in March 2002, few would have guessed the woman on crutches would throw down such a heavy gauntlet.
But broken foot notwithstanding, the senior policy adviser to then-FERC Chairman Pat Wood carried a weighty ultimatum. Just six months after the 9/11 terrorist attacks, she told members of the NERC Critical Infrastructure Protection Committee to secure the grid, or the federal government would secure it for them.
Actually Silverstein’s message was slightly more nuanced.
“I gave them two options,” she says. “One, you write the rules you want to live with; or two, I’ll get a bunch of federal bureaucrats who don’t know much about the utility industry to draft a set of rules. And you know what bureaucrats will do.”
The committee got the message. NERC began developing standards and guidelines for its members to use in securing the nation’s critical power infrastructure, particularly against cyber attack or misuse. But disagreements over the details — especially potential compliance costs — delayed the process and forced multiple revisions that made the standards more flexible and easier for the industry to meet.
“With the earlier drafts, the critical-asset standards were very specific,” says David Grubbs, transmission manager for City of Garland, Texas. “But there was so much opposition that what’s left is really nebulous. Now it’s really more of a risk-based analysis process.”
The Northeast blackout in 2003 raised the ante, turning attention toward reliability in general. The Energy Policy Act of 2005 (EPAct) created a legislative mandate for reliability standards, and led to NERC gaining enforceable authority as the FERC-designated Electric Reliability Organization (ERO).
Amid these upheavals, the CIP-standards process crawled forward. And finally — after five years, an act of Congress, a FERC staff report and a FERC NOPR — the final CIP standards are now emerging, accompanied by a compliance and enforcement regime (see sidebar “ERO Enforcement Emerges”) .
The good news is the CIP standards are working. “Maybe they aren’t perfect, but boy are they having the desired effect,” says Dale Peterson, president of cyber security consulting firm Digital Bond Inc. “We’ve seen a dramatic increase in the level of effort by a large number of utilities.”
That doesn’t mean, however, the cyber security journey is over — either in terms of implementation or policy development (see “Commission Watch,” p.46) . By all accounts, the industry is taking just the first shaky steps toward a more secure utility grid.
To be sure, the NERC CIP standards represent an historic achievement. They include the first mandatory cyber security requirements of their kind to be imposed on a U.S. private-sector industry. Considering the scope and sensitivity of the grid-security issue, developing a set of enforceable standards inevitably would entail a complex and contentious process. From that perspective, NERC, FERC