Fiddling with the Switch: Why Critical Infrastructure Protection Standard CIP-008-6 Should Be Adjusted to Achieve Its Goal of Maintaining and Promoting a Robust American Bulk Power System.

I. INTRODUCTION II. A BRIEF HISTORY OF CENTRALIZED POWER IN AMERICA A. THE BEGINNINGS OF THE MODERN ENERGY GRID AND EARLY REGULATION OF AMERICAN ENERGY UTILITIES B. INTERCONNECTION AND THE [...]
The Bulk Power System ("BPS") is one of America's most significant technological and infrastructural achievements. Thanks to the BPS, essentially all Americans have access to electricity that powers homes and businesses 24 hours a day, seven days per week, 365 days per year. While the BPS is an extraordinary achievement, it remains a critical security vulnerability due to its use of antiquated technology. The federal government has worked to regulate public utilities through the implementation of Critical Infrastructure Protection ("CIP") standards, and recently revised its standard related to Cyber Security Incident Reporting and Response Planning (CIP-008-6) to mandate reporting of both actual and attempted Cyber Security Incidents. The recent revisions are a step in the right direction, but critical deficiencies exist in the new version of the standard that will confuse utilities, duplicate reporting efforts, and could deprive utilities of necessary capital to enhance the security posture of their operations. To avoid these consequences, this Note argues that CIP-008-6 should be revised to provide clear direction on what constitutes an "attempted" cyberattack, mandate participation in the Cybersecurity Risk Information Sharing Program, and provide a positive financial incentive for compliance.