Thursday, September 20, 2012
Wednesday, September 28, 2011
Monday, March 14, 2011
Roger also attended last week's CIPC meeting in Phoenix.
N&ST is based in Pearl River, New York - just outside of NYC. Other team members will be heading in to the city to visit with some of our friends who are coming in from all over North America!
All of us at N&ST are wishing the SDT a enjoyable and productive week in NYC!
Tuesday, February 8, 2011
The white paper is available here.
Please take a look and tell us what you think!
Monday, January 17, 2011
I'm in Columbus as well, and I'm planning on attending at least the first morning of the SDT meeting.
Feel free to drop one of us a line if you're here in Columbus.
Saturday, December 11, 2010
N&ST cast its NERC Registered Ballot Body ballot (Segment 8) against the new version of CIP-005. Here are the comments submitted with the Negative ballot:
N&ST suggests revising R6.1 to allow certain remote systems to access Cyber Assets within an ESP directly when all of the following conditions are true: (a) The remote system is controlled by the same Responsible Entity as the Cyber Assets within the ESP. (b) There is an operational requirement for direct access. Some activities, such as patching and vulnerability assessments, may be difficult or impossible via an intermediate system. The Responsible Entity should be required to document the operational requirement that makes direct connection necessary. (c) The remote system meets the requirements of R6.5.1, R6.5.2, and R6.5.3.
N&ST considers account management Requirements 6.3.1 and 6.3.2 to be redundant and already addressed by existing CIP-005-3 requirement R2.5 (renumbered to R2.4 in proposed CIP-005-4), as well as by CIP-004 Requirement R4. They should be eliminated.
N&ST also considers Requirement R6.3.3 largely addressed by the existing CIP-005 requirement for Cyber Vulnerability Assessment (R4). It should either be eliminated entirely, or any of its provisions that are unique to remote access (such as encryption or 2-factor authentication) should be appended to existing CIP-005 Requirement R4.
N&ST does believe requirements R6.5.1, R6.5.2, and R6.5.3 can and should be applied to remote systems with direct access to systems within the ESP. However, we believe they should not be applied to indirectly connected systems that are under the Responsible Entity's control. We also believe that NONE of requirements R6.5.1 through R6.5.4 should apply to remote systems that are NOT under the Responsible Entity's control or are not used to connect to the ESP. This recommendation is based on our belief that as written the requirements are unenforceable and cannot be audited. A signed and dated acknowledgement form would, in our opinion, prove nothing.