Tony,

Take a look at the actual standards that they are recommending. While they might be better than nothing, I feel that they are pretty loosely defined. Also at this time, the "Sanction" consists of a letter stating that you are not in compliance.

I see the NERC standards as an interim stopgap until the more comprehensive FERC standards (another energy-sector regulatory body) are adopted in the next year or so.

You can get the text of NERC Urgent Action Standard 1200 - Cyber Security at NERC Standards Here.

If you look through this you'll see that it's a lot less stringent and detailed than say the HIPAA standards.

For what it's worth if a power company did not exercise due diligence and an incident occured causing an outage, I strongly suspect that the repercussions would be severe for that company. Between a bunch of Governmental and Industry regulatory bodies looking for a scapegoat, loss of consumer confidence, and loss of investor confidence - I believe you would see a real messy situation for that company. I would guess that the companies know this already.

Regards,

AZ!