The North American Reliability Corp.’s critical infrastructure protection rules (NERC-CIP) continue to impact power utilities. That is about to change, but not lessen. It’s only bound to get more detailed and restrictive as NERC CIP grows and adapts to the industry and the smart grid.
“Security and compliance are spelled differently in the English language because they actually mean different things,” said Tim Roxey, director of risk assessment and technology division for the North American Reliability Corp. at a session during the UTC Telecom Conf. in Long Beach May 10-13, 2011.
“We have a culture of compliance when we should really have a culture of security,” he added, noting the continuing discussion about whether adhering to the CIP rules really makes a utility more secure. But, Roxey said, the industry needs to work with what it’s got at the moment, which is compliance and that’s where NERC CIP comes into the related security equation.
They’re starting with compliance and hoping to evolve into real security protection as versions change to meet smart grid needs. That process can be painful, complex and problematic. But, there has been progress.
“Do I really gotta? Yeah I really gotta,” Roxey joked, rolling through a short history of the CIPs.
“When I started in this industry, the communications infrastructure was a guy named Joe who basically lived in the substation and had a phone,” he said. “Now it’s this incredibly complex system.”
“It’s almost impossible for a company to remain compliant, let alone secure, because of the complexity,” Roxey said, noting that the complexity moves past just communications and that guy named Joe to all other areas covered by CIP.
Details and differences are the history of NERC CIP, noted the panelist that followed Roxey. And those differences and details created the complexity issue, which is connected to the compliance versus security argument.
“NERC CIP is all about compliance and not about security,” said Jerome Farquharson, practice manager at Burns and McDonnell. “Eighty to 90 percent of what a utility is doing with NERC CIP is paperwork.”
“Compliance doesn’t necessarily make you secure,” Farquharson added. “But, as we grow and change, we are trying to put more emphasis on security.”
Farquharson noted clarity about critical assets---what they are and where they start and stop in the utility structure---is a huge dream of the industry, though the standards haven’t quite gotten to that point of clarity yet. But, both Farquharson and Roxey do see that clarity coming.
So, NERC CIP is growing, and perhaps having a few pains with that cultural evolution. But, what a utility needs to focus on is what’s in front of them right now.
“At the end of the day, it is what it is,” Farquharson said, stressing that compliance is required, despite some issues with clarity. “We may not like the system. That’s fine, but we need to do it.”
Farquharson does see NERC CIP becoming the “de facto” standard in this area. So, a utility shouldn’t expect the standards to just go the way of the dodo.
Perhaps someone should call Joe down at the substation and make sure he has a pencil.
This is an excerpt from a longer article scheduled for the August issue of POWERGRID International magazine.
Subscribe to:
Post Comments (Atom)
“We have a culture of compliance when we should really have a culture of security,” - Wow very powerful when you consider what happened to Iran. Full disclosure, we're a vendor that helps companies achieve NERC CIP compliance. We take it very seriously. I'm wondering if most of your readers have found that meeting requirements by bringing someone in house works, or if they are turning to vendors like us?
ReplyDelete