Michael Causey, Editor & Publisher, eDataIntegrityReport.com
My heartfelt sympathies go out to anyone who has to wade through the new North American Electric Reliability Corporation’s (NERC) new cyber security standards.
Last week (May 6), NERC trumpeted the fact that eight revised cyber security standards for the North American bulk power system were approved by its independent Board of Trustees. That approval wrapped up phase one of NERC’s cyber security standards revision work plan, launched last July. “Work continues on phase two of the revision plan, with version three standards already under development” NERC said in a release that might inspire more fear in the hearts of those who must comply with, but first actually decipher, these regulations.
“I wouldn’t call these huge changes, but I might call them confusing ones,” Paul Fricke, Quality Manager at AssurX, told me recently. “The effective dates are confusing and it’s not clear at all when some of the regulations actually take effect. For example CIP-007-2, Effective Date: The first day of the third calendar quarter after applicable regulatory approvals have been received (or the Reliability Standard otherwise becomes effective the first day of the third calendar quarter after BOT adoption in those jurisdictions where regulatory approval is not required).
On the plus side, Paul applauds that NERC removed vague and difficult to measure Violation Severity Level elements from the compliance section, e.g. CIP-006-2. On the down side, NERC punted on defining Violation Severity Levels (VSLs), saying they will define them later (CIP-002-2). Until they make those VSLs clear, “utilities will not necessarily know right away what their [potential] risk penalty is, and that’s assuming they’ve been able to define the risk level in the first place.”
But however you slice it, these standards need to be improved to include clear and concise information. The “Sanction Guidelines of the North American Electric Reliability Corporation” in “Appendix A: Base Penalty Amount Table” denotes a matrix of Violation Risk Factor by Violation Severity Level which is used to determine a fine range by the respective axis element. To assist stakeholder’s and users of the standards, it would seem reasonable to clearly define and specify these in the actual FERC approved standard. Instead, these (if defined at all) are referenced for the most part in separate documents (RSAWs, VSL Matrix, VRF Matrix) which may or may not be up to date on the NERC website. It’s time for NERC to step up and specify risk factors and violation severity levels in the NERC standards.
You can begin the search for the standards, effective dates, and your part in all of this here: http://www.nerc.com/filez/standards/Mandatory_Effective_Dates_United_States.html
Here’s a link to the actual news release: http://www.nerc.com/news_pr.php?npr=308
