I work in this industry this is a joke and everything listed is already required.
The actual requirements are here and are somewhat readable.
https://www.nerc.com/pa/stand/... [nerc.com]
You are required to annual training and quarterly awareness item. You are required to have IPS/IDS systems. You are required to identify High, Medium, and Low impact system. You are required to asses the security of your supply chain. From what I have seen so far this is nothing new here.
I work in this industry this is a joke and everything listed is already required.
I also work in this industry, and that is more of a "yes and no" sort of deal. Yes, most of what is listed in the Bloomberg article is already required, with the cyber security aspects particularly covered under NERC CIP. However (this is the "no" part), the caveat is that that stuff is only required if you must comply with NERC CIP. CIP compliance, or at least various parts of it (again cyber security in particular) is only required of utilities and service providers above a certain size, or certain number of assets, or coverage area, etc. There's several types of qualifications. Smaller utilities, and especially rural ones (rural cooperatives in particular), which the Bloomberg article mentions explicitly, are often CIP exempt.
I say this with first-hand knowledge, as I work for one of said rural cooperatives. The main company (which serves the members of the coop) falls under CIP, as it is a sizable generation and transmission provider. However, most of our individual member utilities do not fall under CIP, or many parts of it, and thus aren't required to have/do a lot of this stuff.
I think the U.S. grid would do well to simply remove that loophole entirely.
This is all nothing new (Score:3, Informative)
Re:This is all nothing new (Score:4, Informative)
I work in this industry this is a joke and everything listed is already required.
I also work in this industry, and that is more of a "yes and no" sort of deal. Yes, most of what is listed in the Bloomberg article is already required, with the cyber security aspects particularly covered under NERC CIP. However (this is the "no" part), the caveat is that that stuff is only required if you must comply with NERC CIP. CIP compliance, or at least various parts of it (again cyber security in particular) is only required of utilities and service providers above a certain size, or certain number of assets, or coverage area, etc. There's several types of qualifications. Smaller utilities, and especially rural ones (rural cooperatives in particular), which the Bloomberg article mentions explicitly, are often CIP exempt.
I say this with first-hand knowledge, as I work for one of said rural cooperatives. The main company (which serves the members of the coop) falls under CIP, as it is a sizable generation and transmission provider. However, most of our individual member utilities do not fall under CIP, or many parts of it, and thus aren't required to have/do a lot of this stuff.
I think the U.S. grid would do well to simply remove that loophole entirely.
Re: (Score:0)
Corporations using loopholes to get out of regulatory requirements to save money?
GTFO with that BS.
Corporations are People too! And People want reliable power!