Letters to the Editor

Fortnightly Magazine - January 2008
This full article is only accessible by current license holders. Please login to view the full content.
Don't have a license yet? Click here to sign up for Public Utilities Fortnightly, and gain access to the entire Fortnightly article database online.

Open Letter to Utility Executives

You will be spending a significant of time and resources on CIP compliance. My intent is to ensure you are spending your money wisely, and not twice.

On Oct. 17, 2007, Congressional hearings were held (http://homeland.house.gov/) on “The Cyber Threat to Control Systems: Stronger Regulations are Necessary to Secure the Electric Grid.” Additionally, on Oct. 17, the House Homeland Security Committee issued a letter to the chairman of FERC requesting an investigation of the industry response to the Aurora vulnerability (as shown on CNN). The reason for the hearings and the letter are the shortcomings of the NERC CIP standards and industry’s response to the ES ISAC Advisory.

The NERC CIP standards were explicitly developed to minimize the number of assets to be addressed. Because of the exclusions and ambiguity designed into the NERC CIPs, they would not be adequate to secure a mainstream IT application such as a human resources system, much less America’s critical infrastructure.

Before the hearings started, I felt the number of critical cyber assets for a medium size utility would be on the order of several thousand, not 20 as some major utilities are identifying under the CIP standards. This should be a red flag for the industry.

This full article is only accessible by current license holders. Please login to view the full content.
Don't have a license yet? Click here to sign up for Public Utilities Fortnightly, and gain access to the entire Fortnightly article database online.