I noted a number of interesting statements at GridSecCon this year – as well as the Friday trip to SecureWorks’ headquarters in Atlanta, which proved to be very interesting - which I’d like to tell you about. I’ll gradually work through them as I get time; I hope I’m finished by the next GridSecCon!
One comment I found especially interesting was during a panel on natural gas security. Robert Mims of Southern Companies is in charge of cyber security for their natural gas division. He lamented the fact that his team consists of exactly four people, while his peer on the electric side has “hundreds” of people working for him.
What’s the difference? He doesn’t face a mandatory cyber standard like NERC CIP. He had no doubt that if he did, he would have a much bigger head count than he does (of course, even if the electric side didn’t have any mandatory cyber standards to worry about, I’m sure their team would still be multiple times the size of the gas team. There are just a lot more moving parts on the electric side, and in general I believe that the dangers of a cyber attack causing serious physical damage in gas are much lower than in electric).
And this goes to the real reason why mandatory standards are needed in some cases: the flow of money from management increases substantially when there are penalties to worry about (and I don’t think the monetary penalties are the biggest incentive for compliance. I’ve always said that power companies would do almost everything they could to avoid violations even if the “penalty” were a trip to Disney World. The reputational, etc. damage is much more painful than the monetary damage, in the long run).
So as much as I complain about problems with the CIP standards, I don’t want to see mandatory standards go away. However, I do think all security standards should follow one Golden Rule: As much as possible, they should simply require the entity’s cyber staff to do on their own what they would do if they received the same level of funding as they now do with the current NERC CIP standards, yet they didn’t have to comply with any standard. I contend they would “identify and assess” their cyber risks (to use the words found in CIP-013 R1.1, which is the best example so far of this approach), and mitigate the most important ones. And they would mitigate them using the most efficient approach possible – since they wouldn’t have to follow prescriptive requirements that inherently aren’t the most efficient approach, sometimes not by a long shot.
In other words, I would rewrite all of the CIP standards like CIP-013, although I’d make improvements to that, and there are other considerations as well[i]. But if you take away mandatory standards, you turn off the money spigot. Thus, a number of NERC entities have freely admitted to me that they would never get the same level of cyber funding as they do now, were it not for NERC CIP. Some even admit to justifying purchases as being “required by NERC CIP”, when in reality that’s not the case. But you didn’t hear that here, of course…
So tonight, you should thank your lucky stars that NERC CIP is mandatory, not a voluntary framework. As the Beatles said (in “Back in the USSR” from the White Album), “…(you) don’t know how lucky you are, boys…”
Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I would love to hear from you. Please email me at email@example.com. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013. My offer of a free webinar on CIP-013, specifically for your organization, remains open to NERC entities and vendors of hardware or software components for BES Cyber Systems. To discuss this, you can email me at the same address.