“I’m not surprised industry vendors are suggesting there should be a lower threshold,” said Mike Almeyda, account manager with risk management firm Force 5. At the same time, he said, “it’s not that industry doesn’t want to do the work.” CIP standards are evolving and are already closely aligned with the National Institute of Standards and Technology’s Cyber Security Framework, he said.
Enacting stricter standards for smaller resources would raise costs, said Almeyda, including potentially requiring physical security perimeters around smaller renewable facilities. The utility sector is “trying to figure out how they can be within compliance,” he said, “but still produce a profit for shareholders.”
