Version 5 of the NERC Critical Infrastructure Protection (CIP) was released for comment and vote in December. The results of the voting have been released and the standard updates failed to receive the necessary votes to pass. The voting results can be viewed and downloaded here.

Honeywell's Tom Alrich, who has been working closely with this process, commented, "The only positive vote of greater than 40% was for the implementation plan. CIP-003 and CIP-008 got between 30 and 40% positive votes. Everything else got under 30% positive. In addition, participation was quite high - over 90% for each ballot." Mr. Alrich notes that the Standard Development Team is working on changes that will increase the likelihood of ratification in the next vote. 

Version 3 of the NERC CIP standards are in place now, with version 4 approved and waiting implementation. Some industry professionals hoped that version 5 would be approved quickly so that implementation of procedures to comply with version 4 would not be necessary. The failed vote brings this possibility in question. 

A new report by the Government Accountability Office (GAO) recommended that the Department of Homeland Security (DHS) should work with public and private sector partners to determine whether cybersecurity guidance should be added to sector-specific critical infrastructure plans. The GAO was asked to: 1) identify cybersecurity guidance within the seven critical infrastructure sectors; 2) determine the extent to which this cybersecurity guidance was enforced and promoted; and 3) find commonalities and differences between cybersecurity guidance for private sector entities versus federal government entities.
  Read more »

U.S. utilities are structuring intelligence into their networks with the aim to make power distribution more efficient; however these efforts are getting caught in the myriad of regulations that leave their security efforts incomplete, inadequate and uncoordinated. According to a new report released by researchers at the Massachusetts Institute of Technology (MIT), a single federal agency should be in charge of the nation’s critical infrastructure security, instead of being spread across a group of organizations, as it currently is. The findings also stated that this greater reliance on data communications in the grid increases the importance of standardization for interoperability and of cybersecurity and raises serious issues of privacy. Additionally, the report also discussed the potential risk factors to the grid from the impact of federal regulations, rising prices for fossil fuels and competition from sources of renewable energy. It largely stated that with the right policy measures, the grid would be able to handle the influx of electric vehicles as well as renewable generation sources including wind and solar. Read more »

In a recent announcement, the North American Electric Reliability Corporation (NERC) has published ten CIP standards (CIP-002-5 through CIP-009-5, CIP-010-1, and CIP-011-1), a set of new and revised NERC Glossary definitions, and a proposed implementation plan. The documents have been posted on the NERC website for a formal 60-day comment period through Friday, January 6, 2012, which will be accepted via an electronic form. The implementation plan, also called the mapping document, identifies each requirement in the already-approved Version 4 CIP standards and identifies how the requirement has been treated in the Version 5 CIP standards. For more information, click here.

A security researcher working for NSS Labs, an electronics security firm, reportedly identified security flaws in Siemens industrial control management systems that compromise the critical infrastructure systems to hackers. Siemens SCADA systems were the center of last year's Stuxnet attacks where the computer worm reportedly affected Iran's nuclear facilities. Industry news source Dark Reading reported that the researcher and Siemens had been collaborating along with the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) to come up with fixes for the flaws identified but NSS Labs found out that the fixes Siemens came up with still did not fully protect the affected systems. The researcher Dillon Beresford noted that he was able to bypass the fix within 45 minutes, and notified both Siemens and ICS-CERT of this issue. Read more »

In comments filed with the Federal Communications Commission (FCC) late last week, UTC urged the FCC and the National Telecommunications and Information Administration (NTIA) to provide access to federal spectrum for utilities and other critical infrastructure industries (CII). The comments were filed in response to a Public Notice from the FCC inviting comment on technical issues associated with the spectrum bands identified in a NTIA Report that was released in October 2010. This report identifies 115 MHz of federal spectrum that could be freed up for broadband purposes. Read more »