Environmental Review & Case Study: NERC's Cybersecurity Standards for the Electric Grid: Fulfilling Its Reliability Day Job and Moonlighting as a Cybersecurity Model

Abstract

The electric industry is experiencing notable changes with the implementation of communication and automation technology, many of which are part of the smart grid movement. Similar to other critical infrastructure industries such as banking, transportation, and the cross-sector critical information infrastructure industry, the electric industry must protect itself from intentional and unintentional security breaches and incidents to ensure uninterrupted operations of essential services. Of the critical infrastructure industries, the electric industry is the only private-sector industry subject to government-enforced mandatory cybersecurity standards. This article presents an overview of the eight mandatory cybersecurity standards by the North American Electric Reliability Corporation. As an example of how standards are evolving, it discusses CIP-002 (Critical Cyber Asset Identification) in depth because it establishes whether the remaining seven standards apply. This article then compares the North American Electric Reliability Corporation regulatory framework against critical information infrastructure goals. The comparison finds that, at least on a basic level, the electric industry's mandatory cybersecurity standards meet the critical information infrastructure goals and work to secure information networks, resources, and systems from cyber and physical threats. The mandatory cybersecurity standards promote an increase in technological products, better security management, personnel and public education, and trust in the industry. Even though the electric industry's mandatory standards are imperfect, the fact it satisfies the goals of the cross-sector critical information infrastructure indicates that the framework is sound. The electric industry's experience with mandatory cybersecurity standards is a valuable source of information, and the regulatory framework itself can be a helpful model for other industries looking to develop their own security protection systems.Environmental Practice 13:250–264 (2011)