NERC entities declaring no critical assets may want to take another look at their risk based assessment methodologies. Michael Assante, NERC CSO, issued a letter to industry today that challenges self certification survey results that show only 31 percent of all entities declared at least on critical asset. Only 23 percent reported having at least one critical cyber asset. I don’t think there is anyone who can justify numbers that low. (Although I would be interested to hear it!)

Assante does take a moment to see the bright side:

…these figures are indicative of progress toward one of the goals of the existing CIP standards: to prioritize asset protection relative to each asset’s importance to the reliability of the bulk electric system. Ongoing standards development work on the CIP standards seeks to broaden the net of assets that would be included under the mandatory standards framework in the future, but this prioritization is an important first step to ensuring reliability.

But he then addresses the reality that many of the entities my not have gotten the “cyber security paradigm” that always comes up in the philosophical discussions of CIP-002. He puts it very eloquently but here’s the one sentence version: it’s not just about the loss of an asset, it’s about what happens if an attacker gains control of that asset.

Will Assante’s letter be a wake up call that saves the CIP efforts or is this the straw that breaks the camel’s back and ushers in a new regulatory approach? Those who have been vocal opponents of the CIP standards may have an “I told you so” moment. But then again, the “compliance does not equal security” sword can be double-edged. What if there are entities that have ramped up security efforts because of NERC CIP but didn’t declare any CA’s or CCA’s for any number of reasons? Impossible to measure but anecdotally I know of several places where this is true.

Regardless of what happens, something does need to be done to clarify CIP-002. I think Assante’s letter is a turning point for the NERC CIP standards and am anxious to see what unfolds.