Wednesday, November 17, 2010

A Few Pointed Suggestions for Improving the NERC CIPs, and in so doing, Grid Cyber Security

This short article released on the ControlGlobal site last week addresses technical issues, but defines its terms and acronyms well enough to be understandable to business readers.

Key points are:
  1. Using spot checks on systems to go beyond the current paper chase approach to validating CIP compliance; and,
  2. Acknowledging that attackers and malware will find ways around/through current "outer wall" based network defenses, instituting a less perimeter defense-oriented approach to security controls with guidance on use of DMZs in between internal networks
These guys are aiming for "actual security" versus faux security via a pure compliance choreography. You may not agree with all the guidance. Depending on your orientation, you may think this is too much ... or too little. Or you may find that some of the recommendations would increase costs for stakeholders, but overall, I believe this is potentially helpful stuff.

No comments: