Here are two of the best for your consideration and edification.
The first is from Joe Weiss of Applied Control Solutions:
Jim Lewis may not be aware that more than 200 actual control system cyber incidents have occurred to date. There have been more than 20 control system cyber incidents in the North American electric grid including three major cyber-related electric outages and 2 nuclear plants shut down from full power. Unfortunately, even though the batting average is still low, it is not miniscule anymore.If this is so, then why did James/Jim Lewis choose to omit the control systems info? Or maybe it wasn't intentional? I really don't know, and Joe doesn't either. BTW, Joe has a blog of his own and it's completely Unfettered.
Now see this, from Bryan Owen of OSIsoft, who comments on both the Lewis' testimony as well as on my glass half full characterization of the NERC CIPs:
On one side we need to let the market work – let entities who suffer a breach pay the price (even the ultimate price of survival). Regulation is needed where a breach affects others and especially as remediation approaches the business capital value. Certainly for the grid, cascading fault is a very real consequence with high cost impact. However, I won’t go so far as to agree the CIPs represent an effective defense in this context. To clarify, the CIPs do provide some margin of effectiveness for major control centers (no surprise since NERC 1200 effort focused on these domains). Much of the mess with CIP today comes from misapplication of control center centric protection to highly distributed systems and assets.I'm pretty sure he knows more than I do, so I'll let those remarks stand and try to get smarter. Anyway, that's all for now. Would really like to get James Lewis' response. Let's see what we can do ...