I was directed to an article this morning titled "CRS: Smart grid cybersecurity standards potentially subject to conflict of interest", which points to a paper from the Federation of American Scientists (FAS) titled "The Smart Grid and Cybersecurity— Regulatory Policy and Issues". If you scroll down to the section called "Policy Concerns" (beginning on page 13) you will find the following:
"...While reliability standards are mandatory, the ERO process for developing regulations is somewhat unusual in that the regulations are essentially being established by the entities who are being regulated. This can potentially be an issue when cost of compliance is a concern, and acceptable standards may conceivably result from the option with the lowest costs. While FERC ultimately has approval authority over the regulations NERC submits and can remand such regulations it judges as not satisfying requirements, any such revisions are ultimately subject to NERC stakeholder approval..."
We need to first clearly understand that everything is ultimately a conflict of interest in the regulatory world. There are few people who take an altruistic approach to making rules. Our entire US government system is driven by lobbyists who all come to Congress looking for their "pound of flesh", and they are generally very successful at it. It is not different in the world of cybersecurity. Organizations are being tasked with addressing cybersecurity for the smart grid. What we have in terms of participation is a few large utilities who have a vested interest in avoiding regulations that would make their lives more difficult, consultants who stand to gain if rules should lead stakeholders to hire consultants to help address the requirements, and vendors who either want to avoid regulations that would harm their business models, or who want to fight for regulations that would bring them more business. All of these "volunteers" to the effort are there for strategic reasons, and I am not exempt from that.
Will this potentially lead to better cybersecurity? I would say yes.
One of the best ways to get people to implement better security is to get people interested in and talking about and learning more about security. This stimulates heated discussions and lots of geek talk. It is how I learned a lot of what I know. It is also reasonable to conclude that having lots of cybersecurity experts involved in the process will probably lead to some solid technical reviews. I can tell you from direct experience that there are a lot of security vendors involved in the Smart Grid security process, and they all try to convince everyone else that what they do is the way to go, but there are also a lot of people who are willing to (and enjoy) scrutinize every word they say.
Still, a conflict of interest will always exist, and unless Congress or any other regulators want to take some time to understand security, it is perhaps best if they allow the process to continue as it is going, conflicts of interest and all.
Just my opinon.