Lessons to Learn for U.S. Electric Grid Critical Infrastructure Protection: Organizational Challenges for Utilities in Identification of Critical Assets and Adequate Security Measures

The U.S. Federal Energy Regulatory Commission (FERC) approved the first critical infrastructure protection (CIP) standards for transmission and generation providers in January 2008. These standards require utilities to implement cyber security measures to protect assets critical to the reliability of the bulk electric system. Many utilities experienced significant organizational challenges to implement these standards for full compliance by July 2009. Particularly complex was critical asset identification and establishing adequate physical and electronic security perimeters. This paper reviews the current industry approaches to meet the standards and difficulties identified with implementations to three specific standards (CIP 002, 004, and 006). It highlights the differences between previous research on critical asset identification in the U.S. electric grid and the current industry guideline approach. These differences reveal potential vulnerabilities that must be addressed and mitigated to adequately protect the electric grid´s critical assets, leading utilities to implement additional measures to assure security.