As the big push behind NERC CIP v5/v6 comes to some form of “conclusion”, most U.S. utility executives are breathing a huge sigh of relief. Their efforts to make their high and medium impact facilities compliant are finally completing.  However for some insiders, there is a concern that a state of compliance complacency is now manifesting in the U.S.

• The expectation is that billions of dollars in compliance spending should have realized “enough” improvements in security … “for now”
• Some larger utilities refute the need to spend any additional money on compliance motivated security improvements.

As a result, the industry is moving slowly to meet the requirements for low impact facilities, systems and assets, consequently it may also be delaying other critical security initiatives.  This will likely have undesired consequences.