Utilities are gearing up for cyber security compliance. Will the standards prove worthy?
Michael T. Burr is editor-in-chief of Public Utilities Fortnightly. Scott M. Gawlicki provided some content for this story. Email Michael at firstname.lastname@example.org.
When Alison Silverstein limped into an Arlington, Va., hotel meeting room in March 2002, few would have guessed the woman on crutches would throw down such a heavy gauntlet.
But broken foot notwithstanding, the senior policy adviser to then-FERC Chairman Pat Wood carried a weighty ultimatum. Just six months after the 9/11 terrorist attacks, she told members of the NERC Critical Infrastructure Protection Committee to secure the grid, or the federal government would secure it for them.
Actually Silverstein’s message was slightly more nuanced.
“I gave them two options,” she says. “One, you write the rules you want to live with; or two, I’ll get a bunch of federal bureaucrats who don’t know much about the utility industry to draft a set of rules. And you know what bureaucrats will do.”
The committee got the message. NERC began developing standards and guidelines for its members to use in securing the nation’s critical power infrastructure, particularly against cyber attack or misuse. But disagreements over the details — especially potential compliance costs — delayed the process and forced multiple revisions that made the standards more flexible and easier for the industry to meet.