Scratching your head a bit when you read those new issues from NERC? You aren’t alone. Yes, it’s a complicated issue, but arguably NERC isn’t making things easier with its sometimes vague, sometimes complex regulatory writing.
Lucky for us we’ve got Paul Fricke, Quality Manager with AssurX, to act as our interpreter.
His overall take? “We got some clarification and some elaboration, but bottom-line there really is not that much in these new issues,” Paul says. Paul cites a few relatively minor changes that are worth taking a quick look at, e.g., what are “appropriate parties” in CIP-001-1a, clarification about “end points” in CIP-005-1a and CIP-005-2a and Electronic Security Perimeters/Physical Security Perimeters in CIP-006-1c and CIP-006-2c.
Paul elaborates on what it all means, “the big take away is that NERC is active in adding interpretations to NERC Standards to aid in ensuring that registered entities understand the intent of the requirements and how they expect them to be applied.”
It’s also important to note that these new issues aren’t exactly a done deal. They are issued by NERC but are waiting for regulatory approval, with a “TBD” effective date.
Stay tuned.
Editor’s Note: Got a question about all of this? Reach out to Paul at pfricke@assurx.com
Click here for more information about NERC compliance.
WHEN: Thursday, January 28, 2010 – 10 am – 2pm (Pacific)
REGISTER: https://www2.gotomeeting.com/register/554360930
WHO SHOULD ATTEND: All AssurX Energy/Utility Customers
AGENDA:
How to Manage NERC CIP Workflows & Documentation
NERC CIP Compliance Management – CIP-002 thru CIP-009 reached the Auditably Compliant stage July 1st, 2009. In this talk we will take a look at best practices for managing CIP workflows including configuration change management and process/plan review workflows.
How to Manage a NERC Compliance Framework
Part of a NERC audit includes submitting information about how your internal documentation (i.e. procedures, policies, etc.) relates to each applicable requirement. This presentation will demonstrate how CATSWeb ER can be used to establish this compliance framework.
NERC Standard Update Service
View how the NERC Standard Update Service is used to import new NERC standards and file attachments into your CATSWeb ER system.
Self Certification
Using the new CATSWeb 16Q Service Pack rules engine, view how your self-certification preparation process can be automated to create and assign all Gap Analysis records and monitor when all Gaps have been completed.
Using CATSWeb for PRC-005-1 Compliance
Demonstration of CATSWeb configured as a standalone system as well as an integration hub with various Work Order Management, ERP and Test Systems assuring that assets which effect the BES are in PRC-005-1 compliance.
Taking your CATSWeb ER system beyond your expectations
An opportunity to learn how companies use CATSWeb ER to steamline the management of documents, assets, approvals, certifications, testing, exceptions, etc.
Sessions will last anywhere from 20 – 45 minutes each and will be followed by a 5 – 10 minute Q&A, as well as a midway break. This four hour event will be recorded and available for replay shortly afterwards. Presentations will be available for download immediately following the event.
Risk management is one of those terms that is often used a bit too loosely, warns AssurX’s Sal Lucido. “People say ‘risk management’ but it can mean very different things to people working at different parts of a company.”
For example, the finance and accounting department focuses on documenting and managing risks associated with business financial transactions and reporting as governed by Sarbanes-Oxley (SOX). The information technology group (IT) focuses on cyber security risks, which involves processes such as identity and access management, threat and vulnerability management, and configuration control. The regulatory compliance group is concerned with meeting government regulations, laws and standards applicable to their industry. For example medical device companies must meet regulations imposed by the FDA regarding such activities as quality and incident management. Energy companies must abide by national and state mandated regulations established by NERC, FERC and their respective regions. Noncompliance can lead to fines that sometimes total in the millions.
Across these industries “the Federal Government is actively auditing and levying large fines for those companies found to be out of compliance. The bar is being set higher each year and the penalties are becoming more severe.”
“Having a risk management system that is managed on paper and spreadsheets is just not going to cut it anymore.”
Sal has helped dozens of regulated companies in industries ranging from utilities to medical device manufacturers to better manage their corporate risk data and processes. And he’s observed that they have a lot in common when it comes to handling risk management. Based on his years of experience with many different firms working to address risk, he has some valuable observations and advice.
Across the board, “what we’ve been finding is that information associated with risk management is rarely made available to the departments that need access to it. For example, if the audit department had access to the identified risks and their risk levels, they could use this information to plan their audit activities aiming audits at those that pose the greatest liability to the company. ”
Companies are now looking for tools that “allow for secure collaboration” so that the risk information and data is readily available for all those who need to access it.
”Because each of these departments already have their own processes” companies are looking for applications that allow each group to maintain their own forms and workflows. “It’s critical to have an application that provides processes unique to each group while harmonizing the underlying data” so that each group can access what it needs, when it needs it.
The other trend we are seeing is that companies are looking to move beyond just documenting risks and listing mitigation efforts. They are looking for enterprise applications that can manage the associated business processes. For example, risk assessment and mitigation efforts are tasks that need to be assigned to individuals or teams, with due dates and status updates. In order to ensure projects stay on track there is a need for escalation functionality that automatically emails the appropriate personnel when tasks become due and go late. These activities also have associated workflows and approval routings that need to be managed via software. Of course this type functionality goes well beyond the capabilities of simple risk tracking software and spreadsheets.
The other need we are seeing is related to reports and dashboards. Department and process managers are looking for reports that show risk levels, heat maps, late reports and so forth. The executive staff is looking for enterprise dashboards that report on the state of compliance throughout the organization using easy to read traffic light and gauge or thermometer formats.
Finally the solution should also be flexible enough to integrate with data and systems that are already being used within the company. For example, if a system is already being used to document the status of key risk indicators (KRI’s) such as violations or incidents, “that data should be reported within (and accessible from) the risk management system.”
In conclusion, managing risk across the corporation means something different to each department yet it requires the entire organization to work together. It involves documenting and sharing risk data across the enterprise, managing workflows and tasks, while handling escalation and reporting. Yes, risk management has matured beyond the spreadsheet.
Sal Lucido is VP of Enterprise Solutions at AssurX, Inc.
In comments filed last month, the North American Electric Reliability Corporation (NERC) told the National Institute of Standards and Technology (NIST) that it should focus hard on coordination of standards as it works on its Proposed Framework for Smart Grid Interoperability Standards.
NERC simultaneously stressed the differences between the three types of proposed standards: Interoperability Standards, System Security Standards and Reliability Standards – and the ultimate need for streamlined, real coordination between the different standards.
“Although the voluntary Interoperabilty Standards proposed by NIST are designed to achieve a different purpose from the NERC mandatory Reliability Standards, it is critical to the continued reliability of the bulk power system that the two bodies of standards be compatible and complementary,” the Nov. 9th comment noted.
NERC also stressed the importance of cyber security to smart grid technologies and encouraged NIST to integrate adequate cyber security protection, at all levels (device, application, network and system) in the development of its Interoperabilty Standards.
While NERC CIP Reliability Standards provide for the reliable and safe operation of the bulk power system by preventing the unauthorized cyber and physical access to critical assets and critical cyber assets, NERC commented, there is a need to develop additional cyber security protection for distribution facilities in the development of Smart Grid Interoperability Standards to address, for example, security aspects of interoperability at the distribution level.
http://www.nerc.com/files/FinalNERCCommentsNIST_Smart_Grid_Framework_Document.pdf
Click here for more information about NERC Electric Reliability Compliance Solutions
Michael Causey, Editor & Publisher, eDataIntegrityReport.com
If 21 CFR Part 11 had a favorite song, it might be The Beatles “The Long & Winding Road,” though Sheryl Crow’s “Everyday is a Winding Road,” is also a pretty good guess for any DJ hitting the classic rock archives.
We all know the two steps forward, one step (or more) backward path that Part 11 has taken in the past ten-plus years.
Now we’ve got the makings of an interesting parallel in the NERC world.
In testimony [http://www.nerc.com/news_pr.php?npr=359] July 21 before the U.S. House of Representatives’ Committee on Homeland Security hearing on securing the modern electric grid from physical and cyber attacks, NERC VP and Chief Security Officer Michael J. Assante made a valiant, and somewhat successful attempt to articulate NERCs view and expectations for others in the industry subject to its regulation and audits.
As we’ve blogged about before, NERC is confronting some major issues surrounding the very safety of the United States power grid. It’s obviously one of the most important tasks out there for regulators.
And like the FDA when it comes to the importance of Part 11 vis-a-vis the efficacy and integrity of electronic records for medical devices and drugs, NERC needs to do whatever it takes to get this right – from issuing clear guidelines, to enforcing the rules with efficient audits.
And it’s those audits that are of most interest to Sal Lucido, Vice President at AssurX. Sal’s theory is that NERC is setting the bar very high (and a little vague) in testimony and other public pronouncements and documents, but that when it comes down to audits, the agency may well take a more common sense approach. In other words, if the company being audited has an intelligent, well-thought out approach to compliance based on effective risk management, they should be okay.
“NERC’s vagueness works in your favor,” if you can construct and implement your own strong, defensible risk management plan, Sal notes. “The Part 11 guidelines gave us all trouble when the FDA got into nitpicking.”
But AssurX’s Paul Fricke hopes for more clarity from NERC in the coming weeks. Reviewing Assante’s NERC testimony, Paul told us it was “very good, but a few key things could be improved that I think they are missing and has been confirmed in my numerous discussions with electric utility customers as well as consultants – namely the need for well organized, clear, and concise requirements/standards.”
Fricke hopes that NERC gets more input from across the industry. “I understand they can’t ‘give the keys to the bad guys’ by giving them enough information help them get around the safeguards,” Fricke says. But NERC also should not come up with guidelines in a vacuum.
That’s part of what doomed 21 CFR Part 11 to years of delay and its ultimately slowing the adoption of technology it was designed to advance.
As Fricke notes, “Many people are confused (specifically with CIP standards) and NERC are assuming that the industry has the years of experience in drafting procedures to be effective across all these ‘sections’ and” follow the Hippocratic Oath by first doing no harm. “The industry does not have extensive experience in this area,” Paul adds.
Paul adds, “The [current] CIP standards jumble up so many processes and areas of responsibility in each of the existing standards that companies need to create entire sets of processes just to organize what each individual standard demands.”
That said, Paul also sees a lot of positives in how NERC is tackling its admittedly tough tasks.
“The other efforts underway seem very well planned and organized as well as appropriate. They need to bring system/process experts into the plans to help them categorize, clarify, and add clarity to the CIP standards once the key needs are refined, confirmed and other outputs from teams are determined. This will help them (NERC) meet the need for all sectors and more accurately meet the ‘do no harm’ need as well as help utility comply with the full text and intent of the standards.
We’ll keep you posted as this travels its own long and hopefully not too winding road.
The 2009 Annual AssurX Electric Reliability Special Interest Group Meeting was a great success. This year we met in Denver on June 9-10, 2009 and kicked the event off with a networking reception that mixed business and great conversations. During the conference sessions, we discussed the latest product upgrades for CATSWeb ER, which makes it easier to import new and revised NERC Standards and RSAWs.
In our open forum we learned about how everyone is using the product to manage compliance to the NERC Standards and much more. Presentations on CIP Compliance, Compliance Framework and a customer presentation were loaded with important, useful information. I want to thank RRI Energy for a very informative presentation on their NERC compliance process: recurring evidentiary documentation/
gap analysis process.
I also want to thank our customers and partners who participated in this great event. We look forward to the next one!
During the vendor search phase that started approximately a year prior to final selection, PG&E required three basic criteria: Vendor had to have a real product (no vaporware and no custom software), must have sold the product to at least one major utility, and had to have a proven GRC engine. One other criterion was that the system had to be on-premise.
After reducing the vendor count to three, all of them were invited to demonstrate the system using tightly scripted demo requirements created by PG&E. In the end, PG&E said AssurX stood out for several reasons:
- The live demonstration presented by AssurX was “flawless” according to a member on the selection committee
- AssurX scored the highest in the requirements matrix – functionality was at the top of the list
- PG&E was extremely impressed with the whole sales process and support from AssurX – “they were open and honest from day one and they were able to demonstrate exactly what we were looking for”
In fact, the live demonstration of the system went so smoothly that PG&E commented how “deeply impressed” they were. “That looked way too easy,” said one attendee. PG&E will be using the system for compliance, ethics and commitment tracking across the country and for internal auditing, NERC compliance, gas compliance and quality assurance.
Pacific Gas and Electric Company, incorporated in California in 1905, are one of the largest combination natural gas and electric utilities in the United States with approximately 20,000 employees and revenues of almost $15 billion.
