Open Letter to Utility Executives
You will be spending a significant of time and resources on CIP compliance. My intent is to ensure you are spending your money wisely, and not twice.
On Oct. 17, 2007, Congressional hearings were held (http://homeland.house.gov/) on “The Cyber Threat to Control Systems: Stronger Regulations are Necessary to Secure the Electric Grid.” Additionally, on Oct. 17, the House Homeland Security Committee issued a letter to the chairman of FERC requesting an investigation of the industry response to the Aurora vulnerability (as shown on CNN). The reason for the hearings and the letter are the shortcomings of the NERC CIP standards and industry’s response to the ES ISAC Advisory.
The NERC CIP standards were explicitly developed to minimize the number of assets to be addressed. Because of the exclusions and ambiguity designed into the NERC CIPs, they would not be adequate to secure a mainstream IT application such as a human resources system, much less America’s critical infrastructure.
Before the hearings started, I felt the number of critical cyber assets for a medium size utility would be on the order of several thousand, not 20 as some major utilities are identifying under the CIP standards. This should be a red flag for the industry.