Someone emailed me today to ask if I was the blogger behind the FOIA request for NERC to identify the NERC entities behind Notices of Penalty. No, I’m not, although I know who the blogger is. I don’t actually know him and we’ve never exchanged emails. He’s one of the many practitioners of the great sport of Utility Bashing, which I have written about in at least three posts, including this one, this one and this one. It sounds like this gentleman and some of his friends have decided that the best way to reveal the decrepit state of security in the electric power industry is to get the names of all CIP violators.
If these people were right that CIP violations automatically equate to bad security, I might agree with their effort. But as I pointed out in this post after the $10MM Duke fine was announced, CIP compliance isn’t a good measure of cybersecurity. Electric utilities spend huge amounts of resources on tasks that are required for CIP compliance, but have little to nothing to do with security. And this inevitably siphons money away from mitigating cyber threats that aren’t addressed at all in CIP nowadays (and never will be, until there is a fundamental rewrite of the CIP standards and compliance regime), including the four I mentioned in the post just referenced: phishing, ransomware, machine-to-machine access into Electronic Security Perimeters, and vulnerabilities in custom-developed software.
A utility that tried to treat all cyber threats the same (whether or not they’re subject to a CIP requirement), and allocated their cyber risk mitigation resources strictly based on the degree of risk posed by each threat, would probably end up paying a big bill like Duke. And a utility that threw every dime they had into CIP compliance and had a program that auditors swooned over, would of course always have clean audits. Yet which one would have better cybersecurity? No question, it would be the first one. Because they would be spending every dollar so that it mitigated the highest amount of cyber risk. The 100% compliant utility would be spending large amounts of their cyber budget mitigating risks that were already pretty well mitigated, while ignoring some of the biggest cyber risks in the world today.
I’ve heard there’s a good chance the FOIA request will succeed, to the extent of getting NERC to reveal names of violators that are a number of years (five?) old. I don’t think that’s a bad thing. But I also don’t think it will improve grid security at all. Indeed, to the extent it will make utilities devote even more cybersecurity dollars to making sure they have absolutely bulletproof CIP compliance programs and even less to cyber threats not covered by CIP at all, it will weaken grid security, not strengthen it.
Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I would love to hear from you. Please email me at firstname.lastname@example.org. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013. To discuss this, you can email me at the same address.