CIP audits show utilities are just getting started with securing the grid.
Steven Andersen is a freelance writer based in New York. Email him at andersenwriting@gmail.com.
Bad news from the front lines in the cyber-security war: Little meaningful progress has been made toward safeguarding the nation’s electric grid from malicious attacks. Initial cyber-security assessments and audits suggest few companies really are ready to implement the first wave of NERC critical infrastructure protection (CIP) standards, despite the fact the utility industry drafted the regulations.
“I honestly don’t believe the industry placed a high probability on the standards becoming law,” says Brian M. Ahern, president and CEO of security vendor Industrial Defender. The resulting anxiety has been a boon to companies like Ahern’s, whose phones are ringing off the hook.
“The industry is in a frenzy,” he says. “These regulations have passed. They have real teeth, to the tune of a million dollars a day in fines. They have some milestone dates looming, June 30th being the first. Yet very few utilities have done anything beyond assessing their level of risk.”
The initial CIP phase largely is procedural, covering personnel background checks, password protection and auditability. As fundamental as those things might seem, they’re big news to the industry, and the broad language of the rules is open to much interpretation.
“A number of utilities have gone back to NERC and FERC looking for clarification,” says Robert Sill, CEO and president of security firm Aegis Technologies.