Thursday, September 20, 2012

NERC GridSecCon

A numer of folks from N&ST will be attending NERC's GridSecCon in San Diego in a few weeks.  We were very impressed with the first GridSecCon last year in New Orleans, and this year's agenda looks promising.


Wednesday, September 28, 2011

Updated NERC CIP -4 White Paper

N&ST has updated its white paper on NERC CIP version 4. It's available here:

Please let us know if you have any feedback, or any additional questions!

Monday, March 14, 2011

706 SDT in NYC

Roger Fradenburgh is on his way to NYC to participate in the Cyber Security Order 706 Standards Drafting Team meeting at Con Ed.

Roger also attended last week's CIPC meeting in Phoenix.

N&ST is based in Pearl River, New York - just outside of NYC. Other team members will be heading in to the city to visit with some of our friends who are coming in from all over North America!

All of us at N&ST are wishing the SDT a enjoyable and productive week in NYC!

Tuesday, February 8, 2011

New CIP -4 White Paper

N&ST has released a new white paper on "version 4" of the NERC CIP standards. The white paper presents common "questions and answers" about the new version of CIP -4 and the associated Implementation Plan.

The white paper is available here.

Please take a look and tell us what you think!

Monday, January 17, 2011

706 SDT in Columbus

Roger Fradenburgh from our team is in Columbus this week to participate in the Cyber Security Order 706 Standards Drafting Team meeting at AEP.

I'm in Columbus as well, and I'm planning on attending at least the first morning of the SDT meeting.

Feel free to drop one of us a line if you're here in Columbus.

Saturday, December 11, 2010


N&ST cast its NERC Registered Ballot Body ballot (Segment 8) against the new version of CIP-005. Here are the comments submitted with the Negative ballot:

N&ST suggests revising R6.1 to allow certain remote systems to access Cyber Assets within an ESP directly when all of the following conditions are true: (a) The remote system is controlled by the same Responsible Entity as the Cyber Assets within the ESP. (b) There is an operational requirement for direct access. Some activities, such as patching and vulnerability assessments, may be difficult or impossible via an intermediate system. The Responsible Entity should be required to document the operational requirement that makes direct connection necessary. (c) The remote system meets the requirements of R6.5.1, R6.5.2, and R6.5.3.

N&ST considers account management Requirements 6.3.1 and 6.3.2 to be redundant and already addressed by existing CIP-005-3 requirement R2.5 (renumbered to R2.4 in proposed CIP-005-4), as well as by CIP-004 Requirement R4. They should be eliminated.

N&ST also considers Requirement R6.3.3 largely addressed by the existing CIP-005 requirement for Cyber Vulnerability Assessment (R4). It should either be eliminated entirely, or any of its provisions that are unique to remote access (such as encryption or 2-factor authentication) should be appended to existing CIP-005 Requirement R4.

N&ST does believe requirements R6.5.1, R6.5.2, and R6.5.3 can and should be applied to remote systems with direct access to systems within the ESP. However, we believe they should not be applied to indirectly connected systems that are under the Responsible Entity's control. We also believe that NONE of requirements R6.5.1 through R6.5.4 should apply to remote systems that are NOT under the Responsible Entity's control or are not used to connect to the ESP. This recommendation is based on our belief that as written the requirements are unenforceable and cannot be audited. A signed and dated acknowledgement form would, in our opinion, prove nothing.

Friday, December 10, 2010


N&ST just cast its vote (Segment 8) in favor of the new version of CIP-002.

While I think most people would tweak small things about this standard if given the opportunity, it seems like it is time to get behind this new, revised approach to CIP-002.