The United States bulk electric system (BES) is a key target for cyber-attacks. This qualitative phenomenological study addressed the issue of the risk of information warfare and targeting by rogue entities or enemy nation-states. The specific problem was poor implementation of current NERC CIP standards, resulting in sizeable per violation monetary penalties. The purpose was to explore the essence of the phenomenon of organizational investments in regulatory compliance controls, as it relates to resource challenges, organizational prioritization, and standards interpretation difficulties. The intent was to determine whether organizations continue to focus on the doing the minimum to become compliant and if the current NERC CIP compliance investments made by electric energy entities equate to mitigated risk and increased security for the BES. The research approach included semi-structured interviews with current and former NERC CIP auditors. A textual analysis of the data included removal of all potentially identifying information from audio recordings and field notes. The findings supported the sparse literature currently available. The top identified organizational priorities were reliability and operation, “the board” and revenue, and cost control. Human resources was the most significant resource challenge. Top categories for verbiage challenges included vagueness and prescriptiveness. The top three areas of interpretation difficulty were patch management, port security, and BES categorization. Participants expressed mixed feelings about the risk mitigation effectiveness of the current standards, saying they required further maturity to increase BES security. Recommendations included augmenting implementation of the NERC CIP standards with best business practices and security control frameworks like the National Institute of Standards and Technology (NIST). Future research recommendations included expanding participation to cover all NERC regions and comparing/contrasting results with other countries.
|Advisor:||Kabia, Milton, Converso, Judy|
|Commitee:||Bakari, Marie, Barrett, Christopher, Polastri, Patricia, Settles, Tanya|
|Department:||Business and Technology Management|
|School Location:||United States -- California|
|Source:||DAI-B 80/06(E), Dissertation Abstracts International|
|Subjects:||Computer Engineering, Industrial engineering, Energy|
|Keywords:||Bulk electric system, Critical infrastructure protection, Electric, Industrial control systems, NERC CIP, Regulatory|
Copyright in each Dissertation and Thesis is retained by the author. All Rights Reserved
The supplemental file or files you are about to download were provided to ProQuest by the author as part of a
dissertation or thesis. The supplemental files are provided "AS IS" without warranty. ProQuest is not responsible for the
content, format or impact on the supplemental file(s) on our system. in some cases, the file type may be unknown or
may be a .exe file. We recommend caution as you open such files.
Copyright of the original materials contained in the supplemental file is retained by the author and your access to the
supplemental files is subject to the ProQuest Terms and Conditions of use.
Depending on the size of the file(s) you are downloading, the system may take some time to download them. Please be