How Does the Industry
Get Away with Doing Nothing?"> How is the industry getting away with doing nothing? NERCs [standards], the industry voted on them. They created them themselves.So what utilities are doing, and NERC has given them the ability to do, is basically to say, "I dont have" or "I have very, very few" critical cyber-assets. Then they dont have much to do besides a paper exercise. [NISTs proposed standard] says you dont have exclusions or exceptions. You have to assess these things. Same as for mainstream IT systems. [Industry wants] to exclude even looking. Could you please explain whats going on in Washington? Congress is going back and working with FERC. The reason is that, in the energy policy act, [theres] effectively a poison pill to prevent FERC from being able to act like a regulator. Its prevented them from writing standards or rules. All it said was they can approve them. So the industry submitted NERC [rules] to FERC. FERC has a problem with them. FERC is going to send them back to NERC and say this is unacceptable, and then NERC has to put it back out for ballot. If they put out for ballot what FERC has told them to put in, it will be rejected. The only thing theyll approve is something watered down with minimal value. [I predict that] what youll see is an endless "do loop" [in Congress] and the grid being vulnerable for I dont know how long. Congress is working with FERC to determine how they can essentially be in the position to do their job and regulate and mandate. [But] to amend the energy act, that will probably take years. To get the energy act through in the first place took years. People are trying to [figure out], How do you get this fixed now, not 5 years or 10 years from now? And thats whats going on in Washington.
The NERC standards are set up in such a way that the first is the scoping document. If you determine that a piece of equipment is to be considered a critical cyber-asset, you have to go through and do the security program for it. If, on the other hand, you say its not a critical cyber-asset, you dont do anything more. Period. Youre done. You dont have to look at it anymore.