Page 16 - Cyber Warnings
P. 16
For almost 3 years, NERC has taken a flexible compliance monitoring and enforcement
approach during what it called a “Transition Period.” The goal here was to help with logistical
transition, but also to educate owners and operators on the technical security requirements of
NERC CIP V5. But with roughly 5 weeks until NERC CIP V5 was set to become enforceable,
FERC decided to grant the petition by several electric trade organizations to postpone
implementation.
This delay comes as a surprise to many in the industry who have worked so hard over the past
three years to reach compliance. As Gutierrez wrote on the SANS blog:
“I'm concerned about the perception these types of decisions create. The electric
industry is full of hard working, incredibly dedicated people who want to do the right
thing. But that thing keeps changing. These folks will undoubtedly feel silly having to
explain to their leadership how the race to April 1 wasn't so urgent after all. Frankly it
makes FERC, NERC and the industry look inept to those not close enough to
understand it all. I really wish the regulators would get their act together and stop putting
entities in this position. CIP really is hard enough already.”
While most agree that NERC CIP V5 will help reduce risk, there should be no mistaking the
standards as a final or ‘absolute’ solution in which the majority of cyber risk will be permanently
minimized. In fact, the unintended consequence of any regulation is that it can still easily lead
organizations into a ‘check-the-box’ mentality. Instead, standards should be interpreted as
models and guides for industries and organizations to take action rather than sit idle to admire
new and existing security challenges and threats.
Only time will tell how seriously owners and operators take V5 now that V6 is confirmed to
release on the same day that V5 is scheduled to take effect. Regardless, this delay underscores
the need for the energy industry to create a security culture that prioritizes the mitigation of
dangerous and frequent cyber threats over the politics that hinder even the most well
intentioned industry standards and guidelines.
About the Author
Doug Wylie is the vice president of product marketing at NexDefense, a
leading provider of cybersecurity for industrial control systems.
16 Cyber Warnings E-Magazine – March 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
