Skip to content ↓ | Skip to navigation ↓

By: Sean Sherman

FERC – Federal Energy Regulatory Commission – released a new order on March 19th, 2009 that changes the scope of the NERC CIP (Critical Infrastructure Protection) rules to include “Facilities regulated by the U.S. Nuclear Regulatory Commission” – i.e. nuclear plants. This seems a straightforward ruling that says generation sources (especially 20% of national production) should not be out of scope of the security controls and compliance rules that the rest of the bulk power system has to abide by. And to that end, perhaps there is no controversy.

However, this is also like someone changing a former one-way street into a two-way street. There will be some trepidation and concern about the rules of the road being known and observed by everyone. The lines on the road must be clear. My point is: the scope of compliance is always a big deal, I suspect there will be more clarification needed for those with responsibility for CIP compliance start to work with those responsible for NERC “structures, systems and components” compliance as well. Who will negotiate disagreements? How can we avoid compliance / security gaps – or – where dual regulations on equipment might occur?

Tripwire University
  • Geoff Daley

    Speaking as someone who has worked in IT both at a nuclear plant and managing patching & AV infrastructure services for SCADA systems, I can tell you that the particular plant I'm referring to, under cyber security policies mandated by the Nuclear Regulatory Commission, meets or exceeds CIP standards 002-009. I can't speak for other utilities, just the experience I have. One of the biggest challenges though has been in identifying what should be classified as a CCA or CA and where the boundaries exist.