In this week’s episode of the podcast (#132): in the wake of news of the biggest fine yet for violations of the NERC Critical Infrastructure Protection (CIP) standard, we talk with Willy Leichter and Saurabh Sharma of the firm Virsec about whether the industry’s main security standard even matters in an age of sophisticated, nation-backed hackers.
As we reported last week, NERC – the North American Electric Reliability Corporation – issued a $10 million fine and a 250 page report (PDF) detailing the failure by one of its member companies to abide by the organization’s main cyber security regulation the Critical Infrastructure Protection or CIP standards.
Thirteen of the violations listed were rated as a “serious risk” to the operation of the Bulk Power System and 62 were rated a “moderate risk.” Together, the “collective risk of the 127 violations posed a serious risk to the reliability of the (Bulk Power System),” NERC wrote.
The report was heavily redacted: blacking out the name of the fined entity (or entities) as well as some details of the violations. Still, subsequent, public reports citing unnamed energy industry sources have identified Duke Energy Corp. as the subject of the fines. In a statement to the Security Ledger that company said that it could not confirm or deny that allegation citing the “potential physical and cyber security risks that a disclosure could pose to the industry.”
With all the secrecy around the company who was penalized and the violations, it can be hard to assess the importance of the fine itself. Is a $10m NERC CIP violation a major development in the electric generation and distribution industry? And, with nation-states like China and Russia dialed in on US critical infrastructure, do the NERC CIP standards even matter anymore? To answer some of those questions, we reached out to some experts on critical infrastructure security and invited them into the Security Ledger studios to talk.
Willy Leichter is the Vice President of marketing and Saurabh Sharma is the Vice President of Business Development at the firm Virsec, which works with major corporations as well as intelligence agencies to secure critical infrastructure including parts of the US electric grid.
In this interview, Willy, Surabh and I talk about the state of play in the critical infrastructure space and whether NERC’s enforcement action and the CIP standard is likely to have an impact on the overall security of the electrical grid in an environment of growing risks.