ERCOT utilities approach CIP compliance from varying perspectives
Scott M. Gawlicki, a Fortnightly contributor based in West Hartford, Conn., has been writing about the power industry for nearly 20 years. Fortnightly Editor-in-Chief Michael T. Burr contributed some content for this story. Contact Gawlicki at firstname.lastname@example.org.
As proposed by the North American Electric Reliability Corp., the new critical infrastructure protection (CIP) standards charge utilities with identifying their own critical assets and related cyber systems.
This approach allows great flexibility for utilities to apply the CIP standards to their particular situations. This will help ensure that their efforts focus on securing critical assets, rather than on complying with an overly prescriptive set of mandates that might or might not yield a secure grid.
The same flexibility, however, is creating an unnerving level of uncertainty among utilities facing a looming compliance deadline.
“You’ve got every organization under the sun taking their own guess about what should and shouldn’t be considered a critical cyber asset,” says Darren Highfill, CISSP and utility communications security architect for EnerNex Corp., an engineering and consulting firm based in Knoxville, Tenn. “Until the standards are finalized and NERC starts doing audits, we’re speculating about where the line will be drawn.”