This is something of interest to all utilities currently busy achieving and demonstrating compliance with version 3, and grappling with what they should do to best prepare for versions 4 and/or 5 coming at them sooner than they would probably like.
Here's Rick's intro followed by a link to Tom's article. Note: you may not like what Tom has to say, but it's better to get this news now than to go ostrich ....
Tom Alrich has identified what he sees as a significant problem looming for the NERC CIP cyber security regulations for electric utilities and power producers: There is a fundamental ambiguity at the heart of NERC CIP Version 4, the version of the standards now set to take effect on April 1, 2014. The big change in Version 4 was the introduction of so-called “bright line” criteria for determining which utility assets (power plants, control centers, transmission substations and others) will need to comply – due to a lot of disagreement on applicability of the standards in previous versions.
Given that the cost of CIP compliance for even a single power plant can well be in the millions of dollars, this is no small problem. Utilities are currently faced with the unpalatable choice of spending that money on an asset which may later turn out not to be in scope under Version 4, or not spending the money and risking being fined hundreds of thousands or even millions of dollars when a future audit determines the asset was in scope after all. Tom says he can see no real solution to this problem, but he suggests that NERC (the North American Electric Reliability Corporation, which promulgates and enforces electric grid reliability standards, including CIP) develop a comprehensive set of guidelines for applying the bright line criteria, and for producing evidence of compliance.My guess is this isn't the last we'll be hearing on this topic. Here's the LINK to full article.
