Last week I attended a North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection Conference in Atlanta hosted by Electric Utility Consultants, Inc. (EUCI). The presentations were enlightening, particularly one that focused on the next version of the NERC’s Critical Infrastructure Protection (CIP) standards. As I noted in my first post, debates continue to rage about what assets within an electric utility’s infrastructure should be considered critical. One of the conference presenters highlighted some of the changes in store for the next version. Among them is the addition of a sixteen page (so far) annex describing the process for identifying the criticality of an asset, which will be rated as a high, medium, or low risk as opposed to just critical or not critical, a process borrowed from the National Institute of Standards and Technology (NIST) Federal Information Processing Standard (FIPS) 199. This should give proactive utilities the flexibility they need to secure their environments without being burdened by requirements that are inconsistent with the risks. Or so we may hope. As we’ve learned in the federal space, the devil is always in the details. Allowing more subjective judgment into the process can allow utilities looking to do the minimum possible to escape their obligation while giving auditors an opportunity to impose more of their own interpretations of the risks and the relevant controls into the process.
Ultimately, consensus usually wins out and appropriate security controls for particular technologies and business processes end up being what is required. However, given utilities’ penchant for relying on hardware and software vendors to resolve these challenges, the right balance may be a ways off. Let us hope that through the currentcollaboration sponsored by NIST to identify security risks and facilitate the development of standards for Smart Grid that we’ll arrive at our destination sooner than usual. The integrity and reliability of our electric grid depends on it.