This group is the default community for every Energy Central registered member. We discuss and share a variety of topics related to the global power industry. 

212,703 Members

Post

Lessons Learned: NERC’s $10M Enforcement Action

Source: Pexels.com (CC0 License)

The recent enforcement action published by the North American Electric Reliability Corporation (NERC) against Duke Energy has raised questions regarding the best cybersecurity risk management strategy for electric utilities.

Generally, an electric utility’s cybersecurity program aims to balance effective security alongside efficient operations, with cybersecurity controls focused on three major areas:

• Prevention
• Detection
• Response/Recovery

In comparison, the NERC Critical Infrastructure Protection (CIP) Standards emphasize prevention and the importance of maintaining a known baseline configuration. While this is an effective strategy after enough time and maturity, it’s strong emphasis on compliance naturally requires significant investments in resources and training.

As threats against electric utilities becomes increasingly dynamic and harder to prevent due to the rising complexity of systems, there must also be an increased focus on threat prioritization and the detection and response/recovery security controls. The NERC CIP Standards do seem to recognize this trend with the increased allowance of risk-based implementations in the more recent standards, but this fine would indicate a strong preference for prevention security controls and only minimal recognition for detection and response/recovery controls.

Clearly, this action and fine will drive changes in Duke Energy’s NERC CIP compliance program, but the resulting changes may be focused on prevention rather than detection and response/recovery areas. In the interest of comprehensive risk management, the overall strategy for cybersecurity risk management must start to embrace threat prioritization with emphasis on detection and response/recovery from cybersecurity events.

Jeff Pack's picture

Thank Jeff for the Post!

Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.

Discussions

No discussions yet. Start a discussion below.

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »