Critical infrastructure protectionNERC’s critical infrastructure protection standards ambiguous, unclear: analysts
In January 2008, to counter cybersecurity threats to critical infrastructure assets such as bulk electricity supply (BES), North American Electric Reliability Corp.’s (NERC) launched its Critical Infrastructure Protection (CIP) standards for BES cybersecurity. The NERC-CIP is marked by uncertainties and ambiguous language, raising concerns in the industry and among industry observers as companies try to enforce the standards. “Industry now screams for a defined control set with very specific requirements that don’t permit subjective and ambiguous interpretations,” comments one analyst.
In January 2008, to counter cybersecurity threats to critical infrastructure assets such as bulk electricity supply (BES), North American Electric Reliability Corp.’s (NERC) launched its Critical Infrastructure Protection (CIP) standards for BES cybersecurity, with oversight from the Federal Energy Regulatory Commission (FERC). NERC’s CIP Version 3 suite comprises current effective reliability standards. Version 4 has been proposed in addition to Version 5, but the former will be discarded before being formally approved because NERC plans to accept Version 5 before Version 4’s scheduled effective date.
Automation World quotes Nina Vajda, Rockwell Automation’s Cleveland-based global manager of networks and security services, to say that NERC-CIP Version 5 is different from previous versions because of the compliance requirements involving encryptions, role-based assets, level of compliance, and new technology. Version 5 also has new cybersecurity controls and extension of reliability standards to more systems or assets. Automation World reports that NERC-CIP, considered an asset management tool, is marked by uncertainties and ambiguous language, raising concerns in the industry and among industry observers as companies try to enforce the standards. Version 5 is a progressive move for securing BES, but it may not be sufficient. “They needed to take a giant leap,” Vajda contends. “Industry now screams for a defined control set with very specific requirements that don’t permit subjective and ambiguous interpretations.”
“It’s not specific enough,” adds Andrew Ginter, vice president of industrial security at Waterfall Security Solutions in Calgary, Alberta. The uncertainty is also a concern for Eric Byres, chief technology officer and vice-president of engineering at Tofino Security in Lantzville, British Columbia. “I’ve never seen such a moving target, where no one knows what version or standards they’re supposed to comply with,” Byres said.
Companies seek clarity on NERC expectations and how these expectations differ from the most current CIP version, especially when firms can face daily fines of up to $1 million for violating CIP standards.
