Representatives from NERC, Joe Weiss and a couple of other experts will be testifying tomorrow to a subcommittee of the House Committee on Homeland Security. Of course as nothing more than a researcher/consultant/humble blogger I was not asked to testify, so I’ll testify to the loyal readers. Maybe some staffer will Google this and get another viewpoint.
Dear Members of the … oh it would take too long to make this official. Here are the two points I would make.
1) If the goal is to improve the cyber security posture and reduce the risk of a successful cyber attack on the bulk electric system, the NERC CIP standards as now being administered through the FERC ERO are working.
The level of effort and progress made towards increasing the security of the SCADA and DCS is significant and is accelerating even amongst the entities that were skeptical and slow to begin work. We see this first hand from our clients who have been concerned about security pre-CIP and in discussions with our colleagues in the community working the NERC CIP issues as some of their first serious security efforts.
This is not to say they standards or administration of the standards is perfect. There is definitely room for improvement in the specificity, coverage and uniformity of application of the standards. Most of the items in the FERC NOPR would improve the standard and should be implemented.
That said, the bulk electric entities are fully occupied making progress on the existing standards. Organizations can’t go from low security to near perfect security overnight. Steady and continuous improvement of the security posture is possible.
The Congress and any other administrative body should be cautious in making changes that will add uncertainty to the standard and derail progress. I recommend a scheduled CIP review and update in the 2009 timeframe that would be enforced in 2011. This would allow work to continue on the existing CIP standards and have entities understand the bar will be raised over time. 2009/2011 may seem like a long way off, but as we have seen with the current standards, time has a way of passing very quickly.
2) Separate the NERC ERO functions from the NERC industry self regulation functions
I have blogged on this in some detail, but there are many continuing conflict of interests between NERC members and NERC as the ERO. The issue with the FERC comments and now the NOPR are a perfect example. The ERO should be primarily responsible to the regulatory agency, not the members it is regulating.
The existing NERC standards making process allows the regulated entities to reject any changes to the standards if one-third of the voting entities disagree. It is easy to see where some bulk electric entities will resist additional rigor in the standards because it will cost money and other resources. In fact, the current standards essentially were the most stringent that the committee felt could receive enough votes to get approved.
FERC should begin the process of requiring NERC to separate their ERO activities from all other industry activities in a similar manner that financial institutions had to separate their banking from trading operations, commonly called a Chinese wall. This will require significant changes to the NERC rules, but the ERO related rules are subject to FERC approval so FERC has a lever to force the changes if NERC wants to remain the ERO.
The other alternative would be to spin off the ERO as a separate entity, but whoever is the ERO needs to have a major mind shift on who they represent.