Working in the Electric Utility sector of critical infrastructure gives a person a very unique perspective on how many of the pieces of the puzzle fit together to provide uninterrupted services to a broad population. My personal experience as a software engineer in the electrical industry introduced me to the nuances that the average person doesn’t consider when they flip on a light switch. When I moved into the cybersecurity space, an entirely new realm was opened up.

The shifting sands of cybersecurity, along with regulations are sowing the seeds of vast changes, not only in the electrical sector, but in all utilities. However, when seeking direction in protecting the utility sector, the most mature model is the one presented by the North American Electric Reliability Corporation (NERC), specifically, the Critical Infrastructure Protection (CIP) guidance. The NERC CIP is the most mature of the utility control models and has just surpassed its 20th birthday.

Part of what makes NERC CIP relevant to critical industry verticals as a whole is that it was developed out of the attention brought about by the large East Coast power outage of 2003. Realization that malware lurking on systems giving command and control capability to and outside entity was a major risk to our infrastructure and safety and something had to be done to address that risk. Recent events in water management, food production and pipeline security have shone a bright light on making these sectors more secure as well. What better way to create new guidance than to borrow what works from an existing source?

Why More Guidance for Critical INfrastructure was Created

The need for more guidance in other sectors hit a tipping point in the last year. Both supply chain attacks, and trade wars lead to new (Read more...)