Princeton, NJ, Dec. 22, 2008 — As part of its efforts to better address cyber security and critical infrastructure protection, the North American Electric Reliability Corporation and its Cyber Security Standard Drafting Team have recently released phase one of proposed revisions to eight Critical Infrastructure Protection reliability standards for industry comment and review.
The standards (CIP-002 through CIP-009) are designed to ensure utilities and other users, owners, and operators of the bulk power system in North America have appropriate procedures in place to protect critical infrastructure from cyber attack.
Scheduled to be filed with regulatory organizations for final approval this spring, phase I revisions address a number of wording changes to the existing standards as specifically outlined in the Federal Energy Regulatory Commission’s Order 706, released in January 2008. The proposed modifications to the standards address the directive in Order 706 to “remove references to reasonable business judgment (in the standards) before compliance audits begin in 2009.” This phase also closes a gap in the existing standards, specifying a compliance schedule for newly identified critical assets.
Work on Phase II has already begun and will result in more significant revisions which may change some of the philosophical foundations of the standards. These efforts will include a more thorough evaluation of the National Institute of Standards and Technology standards and risk management framework and their applicability to the bulk power system.
“Developing the multi-phase approach has enabled us to address pressing concerns around the existing standards in the short term while devoting the appropriate resources to thoroughly address more complex revisions in the long term,” said Jeri D. Brewer of the United States Bureau of Reclamation, the chair of the Cyber Security Standard Drafting Team. “We are firmly committed to drafting stronger standards that will better protect our continent’s bulk power system infrastructure and achieving this goal on a schedule that will make these standards mandatory and enforceable promptly and effectively.”
“These phase I revisions represent an unprecedented effort to improve existing standards in a short, two-month revision cycle and are evidence of the volunteer-based team’s dedication to this important work,” commented Gerry Adamski, Vice President of Standards Development at NERC. “We all recognize, however, that there is still much work to be done. I am confident that industry-based standards development process will meet the high expectations set out for this critical project and look forward to working closely with the drafting team as this project progresses.”
The proposed modifications to the eight Critical Infrastructure Protection reliability standards are available here.