NERC just rolled out its NERC Alert System (NAS), which gives NERC/ES-ISAC the ability to alert and notify NAS-registered entities of the bulk power system (BPS) of vulnerabilities, threats, and/or abnormal events/conditions that could impact the BPS. It is also designed to enable rapid Alert creation and dissemination of alerts and provides for quick acknowledgment and response from Alert recipients via a secure Web browser portal.

“It’s pretty good,” says Paul J. Fricke, CQMgr, CQA Quality Manager/Project Manager at AssurX, Inc. “It sets up a direct and rapid communication to registered entities on when to send alerts and to have the mechanism to do it effectively.”

When registered entities receive an alert, they’ll then log into a secure site to receive the full update details.

There are three levels of alerts, in rising levels of seriousness:

• Level 1 – Advisory – information only
• Level 2 – Recommendations to Industry – usually requires that a questionnaire be completed and submitted back to NERC
• Level 3 – Essential Action – these require information back from the registered entity – highest level of alert, seriousness

NERC also set up a fairly straightforward means of labeling how carefully to protect information contained in an alert:

• Green – Public
• Yellow – Private
• Red – Sensitive
• Black – Confidential

NERC also just released its report for 2009 which addresses a year of transition (changes at the top) and a broader kind of transition: It’s “one of focus as we enter our third full year as the entity responsible for developing and enforcing compliance with mandatory reliability standards,” says Gerry Cauley, NERC’s new President and CEO.

Cauley’s ambitious vision is “to broaden our focus from a compliance organization to a learning organization, one that fosters learning and facilitates growth, both within our organization and across the industry.”

Given all that NERC is trying to do – some well, some maybe not so well – we’ll keep you posted on how they deliver on some tough promises in 2010.

See also:

NERC Unveils Improved Standards Development Process

The Top 10 FERC Enforceable Standards in 2009

“There’s nothing to see here folks, move along. Nothing to see here.”

That’s what police usually say when a crowd gathers to watch something new, unusual or just plain interesting.

Reminds me of an article I recently ran across declaring that Software as a Service (SaaS) technology was indeed configurable.  The jist of it was that NetSuite CEO Zach Nelson was attempting to shatter some of the common misperceptions about SaaS during his keynote address at a company’s partner conference in San Francisco last week.

The WebCPA article covering Zach’s speech went on, “Addressing claims that most SaaS solutions are not customizable, Nelson claimed that there are currently 6,600 users utilizing NetSuite’s enterprise resource planning functions, the majority of which are customizable features.”

Extra! Extra! Read all about it: SaaS is configurable, says Zach.  And we’ve blogged about this before, too.

But is this news to anyone?

Apparently it is in some circles. So why has SaaS gotten a bad rap as inflexible?

Blame it on the early days of SaaS, when some providers offered more rigid, “pigeon-holed” solutions, says AssurX Operations Manager Karl Kleinkauf, who’s been in this business nearly twenty years. “In the old days there was something of a ‘take it or leave it’ attitude,” Karl adds.

But that’s all changed in recent years, Karl notes. For starters, the technology has improved and ample bandwidth is more widely available today. Both factors help make SaaS more configurable. But consumer demand also helped make it happen, Karl notes.

In fact, as his own customers get more adept using SaaS for regulatory compliance, they often see other uses for it. “I’ve helped many use our SaaS system for document control and customer complaint handling after they’ve gotten comfortable with it on the compliance side,” Karl says.

So let’s recap: SaaS is flexible, multi-faceted and configurable.

Remember, you didn’t read it here first.

The NERC project to develop Results-Based Reliability Standards addresses stakeholder’s recommendations that the industry should focus existing standards on areas that will lead to the greatest improvement in bulk power system reliability. You can read about it here.

The entities feel they are spending too much time documenting compliance and not enough time verifying compliance to pertinent requirements that have a more direct impact on system reliability, says VP of Enterprise Solutions at AssurX, Sal Lucido. Last January the committee selected standard FAC-003-2 (Transmission Vegetation Management Program) as the initial proof-of-concept for the project.

You can view the status of this project at this link:

The Transmission Vegetation Management Team is now responding to comments received on the draft standard. “This project should greatly improve the standards development process and result in clearly written, verifiable standards and requirements,” Sal notes. The approach starts with making sure a standard has a clear statement of purpose and that each requirement is clear and measurable. The team is also looking to eliminate requirements that don’t have an impact on the reliability of the bulk power system.

Initially, these standards were voluntary. But as NERC has shifted them to being mandatory, they’ve come under closer scrutiny from industry, in part because of the monetary enforcement associated with violations. The project also states that the standards development team “should strive to achieve a portfolio of performance, risk, and competency-based mandatory reliability requirements that support an effective
defense-in-depth strategy.”

Sal adds that the team is instructed to ensure that each requirement “should identify a clear and measurable outcome.” This means that the requirement should have at least one of the following:

• A stated level of reliability performance
• A reduction in a specific reliability risk or,
• A necessary competency

This new approach to standards development represents almost a year’s worth of work in a partnership between industry and NERC. It will be interesting to watch the results of the first project, which should be followed by improvements to the other critical standards.

We’ve got some slightly bad news and some really good news.

The bad news is you only have until April 19 to file your comments on NERC’s just-issued Bulk Power System Critical Infrastructure Policy Statement.

The good news:  It is so clear and grounded in common sense that your only comment may be “nice job.”

Reminds me of what baseball players and managers say about umpiring: We can live with almost any reasonable interpretation of the strike zone, we just want clarity and consistency in your calls.

Well, NERC seems to have accomplished that – at least in the big picture sense.

“Yes, it is high level,” says AssurX NERC expert Paul Fricke, but it lays “good ground work.” NERC’s approach here “makes me feel more secure,” Paul adds. “The policy statement is absolutely grounded in common sense.”

Specifically, it mandates that NERC and its members address cyber security, physical security, and other high impact threats.

The statement calls for a multi-element strategy that addresses asset prioritization, risk information management, standards, prevention and detection, resilience, readiness, response, restoration, roles and authorities, communications, evaluation and testing, technical studies, interdependencies and funding.

NERC’s new umbrella statement may be in response to the heat the Department of Homeland Security and other government officials have publicly put on NERC, FERC and other keepers of the infrastcture. Their concern: The nation’s vital systems are still vulnerable to threats, both internal (natural disaster, for example) or external (think terrorism). Or in NERC-speak, “A significant concern is the potential for disruptions impacting large portions of the bulk power system, whether by intentional attack or natural event, from which restoration and recovery may be challenging and prolonged.”

Fricke believes the relatively short comment period is also a result of that pressure. “DHS is very mindful of the threats to the power grid and they want companies to show they have controls and checks in place to protect high-priority assets in particular.”

We don’t expect there to be any earth-shattering comments from industry, but we’ll keep you posted.

Scratching your head a bit when you read those new issues from NERC? You aren’t alone. Yes, it’s a complicated issue, but arguably NERC isn’t making things easier with its sometimes vague, sometimes complex regulatory writing.

Lucky for us we’ve got Paul Fricke, Quality Manager with AssurX, to act as our interpreter.

His overall take? “We got some clarification and some elaboration, but bottom-line there really is not that much in these new issues,” Paul says. Paul cites a few relatively minor changes that are worth taking a quick look at, e.g., what are “appropriate parties” in CIP-001-1a, clarification about “end points” in CIP-005-1a and CIP-005-2a and Electronic Security Perimeters/Physical Security Perimeters in CIP-006-1c and CIP-006-2c.

Paul elaborates on what it all means, “the big take away is that NERC is active in adding interpretations to NERC Standards to aid in ensuring that registered entities understand the intent of the requirements and how they expect them to be applied.”

It’s also important to note that these new issues aren’t exactly a done deal. They are issued by NERC but are waiting for regulatory approval, with a “TBD” effective date.

Stay tuned.

Editor’s Note: Got a question about all of this? Reach out to Paul at pfricke@assurx.com

Click here for more information about NERC compliance.