NERC’s reliability oversight is bogged down on two fronts—standard-setting and compliance oversight. Progress depends on improving unwieldy process.
Letters to the Editor
Open Letter to Utility Executives
You will be spending a significant of time and resources on CIP compliance. My intent is to ensure you are spending your money wisely, and not twice.
On Oct. 17, 2007, Congressional hearings were held ( http://homeland.house.gov/) on “The Cyber Threat to Control Systems: Stronger Regulations are Necessary to Secure the Electric Grid.” Additionally, on Oct. 17, the House Homeland Security Committee issued a letter to the chairman of FERC requesting an investigation of the industry response to the Aurora vulnerability (as shown on CNN). The reason for the hearings and the letter are the shortcomings of the NERC CIP standards and industry’s response to the ES ISAC Advisory.
The NERC CIP standards were explicitly developed to minimize the number of assets to be addressed. Because of the exclusions and ambiguity designed into the NERC CIPs, they would not be adequate to secure a mainstream IT application such as a human resources system, much less America’s critical infrastructure.
Before the hearings started, I felt the number of critical cyber assets for a medium size utility would be on the order of several thousand, not 20 as some major utilities are identifying under the CIP standards. This should be a red flag for the industry.
Following a discussion of potential cyber impacts that could flow from the distribution system to the transmission system, David Whitley, executive vice president of NERC, made a very interesting statement. He stated that if a house could impact the bulk electric system, the house should be covered by the standard. This means AMI needs to be included and significantly increases the number of critical cyber assets.
As a utility executive, you are either planning, working on, or have completed your NERC CIP gap analysis. Based on the recent House hearings and common sense, any gap analysis that followed the NERC CIPs will need to be redone. It is in your best interests to revisit what you are actually trying to accomplish—to game the system or secure your assets.
Respectfully, Joe Weiss PE, CISM Applied Control Solutions, LLC Cupertino, Calif.
The authors of “ Carbon Wargames ” ( Fortnightly, Dec. 2007) set forth an elegant strategy for testing certain variables facing utilities as they look out over the next 25 years. It contributes to critical thinking, and introduces complex scenarios to decision makers. The ever-changing regulatory requirements in the face of climate change legislation, national and international, play an integral role in this important gamesmanship as well.
The problem with games, such as the one described, is that the variables are necessarily limited, thus eliminating consideration of others that might drive the results in different directions altogether. Here we read of scenarios involving coal-land and gas-land. Petroleum-land is not a factor by design.
I’d like to offer another variable for consideration: peak oil is reached in 2010. Peak oil occurs when worldwide oil production begins to decline in absolute daily volumes extracted. While all oil experts agree peak oil will occur, they do not agree when it will occur.