Tom Alrich

Principal Consultant

Tom Alrich is an independent consultant and trainer specializing in two important topics

Compliance with the rigorous NERC CIP cybersecurity standards, which apply to the control systems that monitor and operate the North American power grid. They are enforced by NERC and the Federal Energy Regulatory Commission (FERC); they carry maximum penalties of $1 million per violation. While these standards have been successful in securing the grid in the 15 years they have been in effect, they are increasingly inhibiting security by preventing many electric utilities and Independent Power Producers from utilizing cloud-based security software and services.

Software vulnerabilities, which “open the door” for the most successful cyber attacks. All software has vulnerabilities. These can never be eliminated, but they can be managed. However, management can only be successful if there are good data available on vulnerabilities, as well as data on the software or devices in which the vulnerabilities are found. Currently, two big US government programs are essential to providing that data: the CVE Program (run by the US Department of Homeland Security) and the National Vulnerability Database (run by the Department of Commerce). There are currently serious problems with both programs, and both are likely to undergo big changes in the coming years.