State commissions can select from a toolkit of regulatory approaches to promote desired utility cybersecurity behavior. One approach is to allow the industry to selfregulate, and another approach...
Cyber Attack! CIP Goes Live
Utilities are gearing up for cyber security compliance. Will the standards prove worthy?
KEMA Consulting in Philadelphia, Pa. “They’re a good start, but they’re certainly not enough. More needs to be done. Whether NERC is the right one to do it is another question.”
In particular, as the distribution grid becomes more automated, and operational systems get connected with enterprise systems, the bulk-power distinction loses relevance in terms of cybersecurity and critical infrastructure threats.
“With cyber systems crossing so many different areas, we need a super-NERC,” Bucciero says. “Maybe NERC should just focus on reliability, and a separate cyber counterpart should look across the industry, irrespective of the voltage level.”
Although FERC lacks the authority to take such a holistic approach to regulating security, the necessary authority might be available under the aegis of DOE or the Department of Homeland Security. Alternatively, Congress could enact new federal authority for such an agency.
Or perhaps such authority isn’t really necessary. Groups like IEEE successfully promulgate standards without legal authority, and in the long term a non-regulatory approach might prove more successful than stretching mandatory standards further than existing institutions feasibly could enforce. Apart from national-security level concerns, which the CIP standards are intended to address, perhaps cyber security should be treated the same as any other operational or business risk. Utilities might be expected to apply “reasonable business judgment” and protect their systems appropriately without an intrusive regulatory regime.
“You can’t be everybody’s mommy,” Silverstein says. “You can’t cover all the sharp edges in the world. People have to protect their own business interests and assets.”
In the short term, utilities have their hands full complying with the mandatory CIP standards, while also grappling with cyber security vulnerabilities outside the bulk-electric system. Indeed, NERC CIP compliance likely will be just the beginning of a long and complicated journey for the industry.
“This stuff is not easy or cheap,” Silverstein says. “These are huge operational changes. It seems to me you have to walk before you can run.”