A Fine Mess

Deck: 

CIP audits show utilities are just getting started with securing the grid.

Fortnightly Magazine - June 2008
This full article is only accessible by current license holders. Please login to view the full content.
Don't have a license yet? Click here to sign up for Public Utilities Fortnightly, and gain access to the entire Fortnightly article database online.

Bad news from the front lines in the cyber-security war: Little meaningful progress has been made toward safeguarding the nation’s electric grid from malicious attacks. Initial cyber-security assessments and audits suggest few companies really are ready to implement the first wave of NERC critical infrastructure protection (CIP) standards, despite the fact the utility industry drafted the regulations.

“I honestly don’t believe the industry placed a high probability on the standards becoming law,” says Brian M. Ahern, president and CEO of security vendor Industrial Defender. The resulting anxiety has been a boon to companies like Ahern’s, whose phones are ringing off the hook.

“The industry is in a frenzy,” he says. “These regulations have passed. They have real teeth, to the tune of a million dollars a day in fines. They have some milestone dates looming, June 30th being the first. Yet very few utilities have done anything beyond assessing their level of risk.”

The initial CIP phase largely is procedural, covering personnel background checks, password protection and auditability. As fundamental as those things might seem, they’re big news to the industry, and the broad language of the rules is open to much interpretation.

“A number of utilities have gone back to NERC and FERC looking for clarification,” says Robert Sill, CEO and president of security firm Aegis Technologies.

This full article is only accessible by current license holders. Please login to view the full content.
Don't have a license yet? Click here to sign up for Public Utilities Fortnightly, and gain access to the entire Fortnightly article database online.