Share these talks and lectures with your colleaguesInvite colleagues
How can we effectively regulate grid security?
The NERC CIP standards were designed to prevent potentially devastating cyberattacks on the control systems that run the North American Bulk Electric System (BES). While these standards have undoubtedly contributed to making the BES much more secure, they also suffer from some serious — and escalating — problems that are pushing them toward the point that in a few years the North American Electric Reliability Corporation — Critical Infrastructure Protection (NERC CIP) standards may be seen as causing more harm than good. This paper describes what the author believes to be the four most important problems with NERC CIP and discusses their causes and effects. The paper concludes with a set of general principles that could be used to construct a new NERC CIP compliance regime (including the standards themselves and the rules for enforcing them) that would avoid these problems and set NERC CIP on a sustainable track, so that the standards can continue to be seen as a powerful force for improvement of the security of the electric power grid. The paper provides ‘lessons learned’ not just for NERC CIP, but for other mandatory cyber security standards as well. The author hopes that these lessons learned will be applied in practice.
The full article is available to institutions that have subscribed to the journal
Tom Alrich is a well-known consultant on compliance with the NERC CIP cyber security standards for the North American electric power grid. Tom writes a blog (available at http://tomalrichblog.blogspot.com/) on new developments in the CIP standards, which gets a lot of attention from the power industry and from the regulators. He is currently writing a book on problems with the NERC CIP standards and how they can be solved. Tom has previously consulted on NERC CIP for Deloitte and Honeywell. He has a degree in economics from the University of Chicago and lives in Evanston, Illinois.