This post is part of a coordinated series of blog posts examining the details of version 5 of the NERC Critical Infrastructure Protection (CIP) standards. These posts, written by various individuals having direct experience with these standards, will point out security gaps, ambiguities, and areas that could prove challenging to audit. The purpose of the posts is to highlight areas for future improvement, and to draw attention to issues for which entities may wish to apply greater diligence than is currently required by regulation.
Michael Toecker, Digital Bond
“There’s a wonderful line in every NERC CIP regulation located in the Exemptions section, stating that the following are exempt from the NERC CIP standards:
This simple statement allows entities to automatically remove a set of assets from NERC consideration that could otherwise be considered critical to the operation of the BES. The initial push for this requirement during the development of the original CIP standards was that entities often didn’t have any control of telecommunications networks, they only used them for communication. This is a valid, though poorly implemented, concern and was mainly in regards to contracts that would require re-negotiation and ensuring they weren’t trying to regulate non-electric entities.
The basic problem I have with this statement is simple: With the sweep of a pen, it removes an entire swath of potentially critical assets and communications from consideration without requiring commensurate protections to make up for the resulting vulnerability. It’s been years since the original CIPs, and the exemption has simply been imported without examining the underlying risks and vulnerabilities it causes.”