As proposed by the North American Electric Reliability Corp., the new critical infrastructure protection (CIP) standards charge utilities with identifying their own critical assets and related cyber systems.

This approach allows great flexibility for utilities to apply the CIP standards to their particular situations. This will help ensure that their efforts focus on securing critical assets, rather than on complying with an overly prescriptive set of mandates that might or might not yield a secure grid.

The same flexibility, however, is creating an unnerving level of uncertainty among utilities facing a looming compliance deadline.

"You've got every organization under the sun taking their own guess about what should and shouldn't be considered a critical cyber asset," says Darren Highfill, CISSP and utility communications security architect for EnerNex Corp., an engineering and consulting firm based in Knoxville, Tenn. "Until the standards are finalized and NERC starts doing audits, we're speculating about where the line will be drawn."

Under the current schedule, the new standards will become legally enforceable in 2009. Between now and then, however, the standards might evolve. In a recent Notice of Proposed Rulemaking (NOPR), FERC asked NERC to provide further guidance on how utilities should focus their "risk-based methodology" {see "Commission Watch,''p.46).

"The regulated entity determines whether it has critical physical assets and assocated critical cyber assets," says Joseph McClelland, director of FERC's Office of Electric Reliability. "That discretion could lead to inconsistencies, and those inconsistencies could lead to vulnerability on the system. We'd like to see modifications to the standards and process to address those potential problems."

Utilities can't afford to wait for a refined set of standards. To ensure they are compliant when the standards become enforceable, utilities are working to define their critical assets today-even as they watch to see how their definitions might need to change tomorrow.

Oncor On Track

Since it's up to each entity to develop its own way of identifying critical assets, their methodologies run the proverbial gamut.

"There are differences in what people consider critical and the strategies being applied," says Bill Bojorquez, vice president of system planning at ERCOT, which has formed a CIP Advisory Board to provide guidance to its membership. "Substation duty...