Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Critical Infrastructure Protection (CIP): Security problems exist despite compliance

Steve Ragan | July 3, 2017
North America's bulk power system is required to adhere to NERC CIP standards, but compliance doesn't mean critical assets are completely safe.

The big problem comes from the resources and people who are supposed to be working the program in the event of an incident. “With physical incident response/disaster recovery, these people have emergency roles which they assume in the event of a storm, or a major component failure, or a squirrel. But when it comes to the digital incident response/disaster recovery plan these people, who are supposed to be working the program in the event of an incident, often don't know their roles," Grimes adds.


It's not all bad, but more can be done

As mentioned earlier, despite the problems he outlined, CIP overall works, and the facilities that are bound by it are better because of it. However, the lesson is that compliance isn't security, and in some cases, it isn't even a good baseline. Developing an honest threat model, and understanding the real risks the organization faces will go a long way toward a solid security baseline than any compliance measure.


Previous Page  1  2  3  4  5 

Sign up for CIO Asia eNewsletters.