Speaking at the Texas Reliability Entity’s Spring Standards, Security and Reliability Workshop, NERC compliance expert Brent Castagnetto told utilities security breaches are inevitable if they do not “elevate” their focus on the ERO’s Critical Infrastructure Protection standards beyond the regular audit cycle.
Castagnetto is co-founder of NovaSync, a provider of compliance tools focused on the CIP standards, who joined the workshop to discuss what he called the “CIP drip” phenomenon. He said the name came from a conversation a year earlier with Nick Santora, NovaSync’s vice president of growth and his co-presenter at the workshop.
“We were lamenting the fact that we both own homes, and homes often come with unique sets of problems depending on where you live,” Castagnetto said. “They could be external [or] internal; they could be the fact that you bought a crappy old house like I did and then fixed it up, or you could have challenges with buying a new home and shoddy craftsmanship. Whether you rent or own, it is likely that you’ve experienced a challenging issue, or a drip or a leak with your own home.”
Castagnetto said he and his company have seen the same kind of problem in many organizations’ CIP compliance programs. These processes are usually set up with good intentions, he said, but it’s impossible to anticipate every shortcoming ahead of time, and entities must actively check to see if issues are developing that need to be addressed.
To submit a commentary on this topic, email forum@rtoinsider.com.
“If we leave [these drips] unattended, and we have a leak that’s going through our foundation, that can lead to all kinds of problems, right? If we don’t address issues with our roof, we’re likely going to see some risk exposure there,” Castagnetto said. “The same thing applies when we look at audits that happen on a periodic basis, whether you’re on a three- or six-year cycle. … Is that good enough? No, you’re likely experiencing drips along the way that you have to address in a more meaningful and practical way.”
Castagnetto and Santora discussed some of the problems they have discovered that were developing without their clients’ knowledge. These fell into several categories, the first of which was issues having to do with employees, whom Santora quipped are likely to remain “a pretty big problem to solve … until the robots take over.”
Santora observed that any registered entity contains many people involved in CIP compliance, and keeping their understanding of the standards and their responsibilities up to date is an urgent requirement. He described the best training programs as a “two-way street, a push and a pull,” in which — rather than providing training and ordering employees to complete it — leadership engages with employees to learn what they are unsure about and what processes need updating.
The discussion of CIP training prompted Castagnetto to turn to the next topic, processes, which he called “critically important” but misunderstood by utilities who design their compliance processes as “calendar events and reminders that cue to do an activity or perform something.” He said this approach is less effective than one that focuses on “connecting the dots from the technology that we’re using to the people that are working in the process.”
“If you’re stuck in this mode where you’re using Outlook and calendar reminders to ensure that the … steps [are] undertaken to accomplish a specific task, it’s not going to work long-term for you,” he said. “Heaven forbid Outlook goes down … or that [responsible] person leaves, and now we’re just moving the calendar to somebody else. We’re passing the buck. You don’t want to find yourself in that situation.”
Entities must also understand that CIP compliance by itself is not enough to ensure the organization’s safety in the face of determined security threats, Castagnetto warned. He cited the case of Christina Chapman, an Arizona woman sentenced in 2025 to 8.5 years in federal prison for helping North Korean information technology workers obtain remote positions at more than 300 U.S. companies.
Chapman operated what authorities called a “laptop farm” at her home, storing more than 90 computers from the companies she fooled, as well as shipping devices to overseas locations. The North Korean employees used the “stolen or borrowed” identities of actual U.S. individuals to fool the IRS. While authorities eventually caught up with the scheme, it still generated more than $17 million in revenue for Chapman and North Korea. Castagnetto said the story shows that utilities cannot count on CIP compliance alone to protect them.
“There’s nothing in [the CIP standards] that says you have to go and verify these people, but we have to figure out a solution to it, because it can happen to us, and we don’t want to have that,” Castagnetto said.
