An all-star energy and security team, including Steve Parker, new President of the Energy Sector Security Consortium (EnergySec), and Honeywellers Tom Alrich and Donovan Tindill, shared some sobering, cold, hard, urgent facts. Those from Tom Alrich were particularly rich:
- Some have asked whether 4/1/2014 is the Compliant or Auditably Compliant date. These are CIP V1 terms – 4/1/2014 is the Compliant and Auditably Compliant date for Version 4. This means you have to have everything for compliance in place on that date, and includes all policies, procedures and technologies in CIP-003 through CIP-009
- There are some who believe that assets identified by the V4 criteria are “newly identified” under V4 – thus they have 6-24 more months to comply after 4/1/2014. They are wrong: NERC and the Region Entities are in agreement on this
- Cyber Assets not previously inventoried need budgeted >1 hour each!
- Actual Site Inventory Labor: 11 sites, 1500 Cyber Assets = 2,200 hours
- Site inventory can uncover >30% more assets than originally thought!
- Existing network drawings >2 years old cannot be trusted, easier to start over with both logical and physical cable tracing
- 50% of equipment is non-IT traditional infrastructure and is not easily recognized nor is information you need to collect and report easily collected