ABOUT THIS EPISODE
Almost all discussion around the NERC CIP cybersecurity standards for the electric sector focus on compliance. What do the standards require? How will I be audited? What happens if I fail the audit? Lost in this discussion is the underlying purpose of the standards was to reduce the risk of a cyber incident causing a significant impact to the ability to generate and deliver electricity.
So I decided to interview Patrick Miller of the Archer Security Group about how NERC CIP has affected the security of electric generation and transmission in the US. Patrick has experience as an asset owner, auditor, Energysec President and now leading a team of consultants that provide NERC CIP services. After a quick question on the size and expected growth of the CIP security services market we focused on security. Some of the areas discussed include:
- What difference, if any, CIP-013 is likely to make to asset owner security posture? (Note: at least it requires code signing)
- Has CIP reduced the paperwork and administrative burden over the past five years to improve the efficiency of applying security?
- How is CIP dealing with high impact low frequency events?
- Is executive management / Board of Directors supporting cybersecurity beyond CIP requirements?
- For those doing more than CIP, what area are they focusing most on in the NIST Framework (Identify, Protect, Detect, Respond, Recover)
- Is CIP affecting cyber insurance in the electric sector?
- What should other industries facing regulation learn from the success and failures of NERC CIP.
As always I appreciate any feedback as well as suggestions and topics for future episodes. Send this to [email protected]