Lessons Learned: NERC’s $10M Enforcement Action
Source: Pexels.com (CC0 License)
- February 20, 2019
- 563 views
The recent enforcement action published by the North American Electric Reliability Corporation (NERC) against Duke Energy has raised questions regarding the best cybersecurity risk management strategy for electric utilities.
Generally, an electric utility’s cybersecurity program aims to balance effective security alongside efficient operations, with cybersecurity controls focused on three major areas:
In comparison, the NERC Critical Infrastructure Protection (CIP) Standards emphasize prevention and the importance of maintaining a known baseline configuration. While this is an effective strategy after enough time and maturity, it’s strong emphasis on compliance naturally requires significant investments in resources and training.
As threats against electric utilities becomes increasingly dynamic and harder to prevent due to the rising complexity of systems, there must also be an increased focus on threat prioritization and the detection and response/recovery security controls. The NERC CIP Standards do seem to recognize this trend with the increased allowance of risk-based implementations in the more recent standards, but this fine would indicate a strong preference for prevention security controls and only minimal recognition for detection and response/recovery controls.
Clearly, this action and fine will drive changes in Duke Energy’s NERC CIP compliance program, but the resulting changes may be focused on prevention rather than detection and response/recovery areas. In the interest of comprehensive risk management, the overall strategy for cybersecurity risk management must start to embrace threat prioritization with emphasis on detection and response/recovery from cybersecurity events.