• The standards don't "clearly define what constituted a critical asset or critical cyber asset," the report found. Instead, utilities "were permitted to use their discretion when identifying critical assets and critical cyber assets...." As a result, "if an entity determined that no critical assets or critical cyber assets existed, it was exempt from the remaining original CIP standards," the report said.
How to define "critical infrastructure" is a big part of the problem. "Lack of stringent requirements for defining critical assets contributed to a significant underreporting of these assets," the IG found. Both the federal commission and NERC officials said power companies had probably undercounted their critical assets and associated critical cyberassets.
"Much of the problem stems from ... lack of definition," says Michael Assante, former chief security officer for NERC. "The concepts of what need to be protected have not been firmly established."
Critical assets could include, for instance, control centers, transmission substations, and power generators. But on a compliance self-survey, only 29 percent of power generators and less than 63 percent of transmission owners identified one or more critical assets, NERC reported in April 2009.
The IG's office also found that NERC and eight other regional electricity reliability organizations appear to have ignored federal demands to toughen the original CIP standards. One FERC official noted that 95 percent of the changes the commission requested of NERC had not been addressed, the IG said.