The President/CEOs of the American Public Power Association (APPA), Edison Electric Institute (EEI), and National Rural Electric Cooperative Association (NRECA) felt a recent WSJ article critical of the electric sector’s cyber security “warrants response from the electric-power industry”. It is a shame the response was weak and devoid of any argument or evidence that the WSJ was wrong in their reporting.

Here is the crux of their rebuttal:

Together with our members, we work closely with the North American Electric Reliability Corp. to set standards that protect grid reliability and security. Before becoming enforceable, all draft standards go through three levels of approval—the industry, the independent NERC Board of Trustees and the Federal Energy Regulatory Commission.

Is that the best you got? Why not have three data points that clearly show NERC CIP is effectively improving the cyber security of the bulk electric system? And then point to a white paper on how you are benchmarking improvement in the bulk electric system cybersecurity posture and the results showing that improvement, lessons learned, goals for next 1-3 years, etc.

The fact that utilities are writing the rules that determine the cybersecurity regulatory requirements for bulk electric system owner/operators (themselves) is actually damning, not a positive debating point. Self interest would dictate that utilities keep regulatory requirements as minimal as possible, even if the utility was planning on spending more time and money on cyber security. There is no need or incentive to create regulatory risk to address security risk.

A clear example of this avoid regulation thinking are the statistics in the infamous Assante letter of April 2009. He highlighted survey results that showed that 71% of the vendors in power generation said their risk assessment found the NERC CIP standards did not require them to implement any cyber security measures. There were additional damning stats that showed the CIP emperor was naked. The numbers have not greatly improved, although CIP Version 5 is designed to change this.

Mandatory standards with fines would not have been necessary if the utilities had prudently developed cybersecurity programs to address the risk to ICS in the bulk electric system. (A small number were working diligently on the issue and NERC CIP critiques are always an unfair broad brush) Why would one expect the majority of utilities that did not feel the ICS cyber risk warranted the expenditure of time and money to write standards that would require them to spend time and money. NERC standards historically worked best when the majority of utilities saw a shared risk in the bulk electric system and wanted to force the laggards into action for their own self interest.

While NERC CIP has a multitude of problems and I would not be a CIP defender, there are clear examples where it has improved cybersecurity in the bulk electric system. Some of the owner/operators who wanted to do nothing on ICS cybersecurity have been forced to put in security perimeters, deploy anti-virus, perform training and security awareness, create inventories, … It is terribly inefficient, but it is progress for those that were doing nothing.

The letter to the WSJ is awful marketing. A terrible product makes Marketing’s job difficult, but the CIP standards deserve a better message than “WSJ you’re wrong; we are writing and implementing good standards. Really, we are doing the right thing for the security of the grid.” Since CIP compliance has been mandatory for many years now, there should be some hard, compelling data that CIP is improving the security of the grid.

Image by Wendall