tag:blogger.com,1999:blog-1987420974894463968.post7569493371469509079..comments2024-03-21T03:56:54.312-05:00Comments on Tom Alrich's Blog: A new record!Tom Alrichhttp://www.blogger.com/profile/11926296316487964077noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-1987420974894463968.post-79310759910127383482019-02-06T13:36:09.788-06:002019-02-06T13:36:09.788-06:00Regarding Jason R's comment, a CIP compliance ...Regarding Jason R's comment, a CIP compliance person wrote in to point out to me that at least one of the requirement parts Duke violated is High-only: CIP-010 R3.3. So Jason R's comment needs to be corrected (Jason R has privately confirmed to me that he might have missed one or more High-only requirements in the NoP, since as he pointed out, this observation was based on a "quick scan"). <br /><br />So obviously there was one High Control Center in violation of at least one requirement part. But I'm sure Duke has a number of High Control Centers. Were all of them in violation of this part? Not likely, but because of the redaction, we simply can't answer questions like this.<br /><br />And since I'm a Larger Lessons kind of guy, here's a larger lesson: I understand that NERC wants to protect information that might in any way enable an attack on the grid. However, there's a cost to this, which is that it is very hard to draw concrete lessons from NoPs, meaning it is hard to learn from the mistakes of others.Tom Alrichhttps://www.blogger.com/profile/11926296316487964077noreply@blogger.comtag:blogger.com,1999:blog-1987420974894463968.post-36004430743383244152019-02-02T14:25:03.090-06:002019-02-02T14:25:03.090-06:00By the way, my quote got cut out of the WSJ's ...By the way, my quote got cut out of the WSJ's print edition, so it's only online. But I just realized that the whole article is available, even though generally they're all behind a paywall (I assume this was because of WSJ's feelings about the importance of the subject): https://www.wsj.com/articles/duke-energy-broke-rules-designed-to-keep-electric-grid-safe-11549056238?mod=hp_major_pos13<br />Tom Alrichhttps://www.blogger.com/profile/11926296316487964077noreply@blogger.comtag:blogger.com,1999:blog-1987420974894463968.post-66127676218551190702019-02-02T13:56:56.721-06:002019-02-02T13:56:56.721-06:00I don't doubt it's Duke. Your observations...I don't doubt it's Duke. Your observations are quite good, Jason. I'm writing a post, that should be up Sunday, that follows up on this - in clarification of a quote from me that appeared in today's Wall Street Journal. I'm sure Duke has High impact Control Centers, so if there aren't any High requirement violations, this comports with NERC's statement that the risk to the BES is more due to the collective impact of all the violations, than any one or two which in themselves could have enabled a serious cyber attack.Tom Alrichhttps://www.blogger.com/profile/11926296316487964077noreply@blogger.comtag:blogger.com,1999:blog-1987420974894463968.post-84843956948468032662019-02-02T13:37:02.597-06:002019-02-02T13:37:02.597-06:00I have heard two different rumors as to who it is....I have heard two different rumors as to who it is. The WSJ has published one of them.<br /><br />I did a quick scan of the requirements violated. I saw no violations that were High-Impact only requirements (maybe I am wrong and missed one). This leads me to conclude the org(s) are all small to medium-sized with no High-Impact Assets. If so and these org(s) are small to mmedoum-sized (like one that has 40K customers), $10M is a pretty significant fine.<br /><br />If the WSJ is correct, then $10M is pocket change, especially for the amount of time covered and requirements violated. Jason Rnoreply@blogger.com