February 4, 2012

Posts Comments

You are here: Home / Archives for Risk Management

CDRH 2012 Strategic Priorities Emphasize QA, Life Cycle Management

February 1, 2012 By Leave a Comment

Michael Causey, Editor & Publisher, eDataIntegrityReport.com

Deciphering the FDA is a bit like trying to understand what the old USSR was up to in the days of the Cold War.  In those days, it was called Kremlinology, or the study of a complex, secretive organization.  We need a catchphrase for those of us today who try to figure out what the FDA means when it says something, or what it means when it says nothing, or what it means when it tells you what it means. You get the idea.

The FDA has been talking a lot of late about transparency. Its 2011 initiative is an agency attempt, it says, to open up about how it does business. FDA is accepting comments on it until February 28.  The jury is still out on whether this initiative will accomplish much.

Our latest piece of FDA evidence is CDRH’s 2012 Strategic Priorities.

CDRH devotes the Introduction of the document about looking ahead to patting itself on the back for its 2011 achievements, e.g. its report, “Understanding Barriers to Medical Device Quality,” that reviews the challenges that the FDA and industry face in supporting well‐integrated, best‐quality manufacturing practices and strategies that industry and the FDA can take to overcome these barriers.

CDRH also reminds us that “to complete this work [in 2011] our staff went above and beyond their already demanding workload. This is a remarkable achievement.”

Good to know.

In 2012, CDRH says it will continue to emphasize four priority areas:

  1. Fully Implement a Total Product Life Cycle Approach
  2. Enhance Communication and Transparency
  3. Strengthen Its Workforce and Workplace
  4. Proactively Facilitate Innovation to Address Unmet Public Health Needs

CDRH promises in 2012 to “improve” its premarket programs. By April 1, it pledges to begin its Triage of Pre-market Submissions Pilot to “increase submission review efficiency and better manage the pre-market review workload.”

And by the end of the year, CDRH pledges to publish a proposed rule to clarify the circumstances under which it could rely on clinical studies conducted in and for other countries. CDRH also says it will finalize all guidance documents it has issued as part of its overall plan to improve its premarket programs.

We’ll keep an eye on these and other promises throughout the year and report back as FDA hits or misses its own targets.

TwitterFacebookDiggDeliciousTechnorati FavoritesEmailPrintFriendlyShare
Filed Under: FDA Regulated, Medical Devices, Michael Causey, Quality Management, Regulatory, Risk Management Tagged With: , , , , ,

Lilly CEO Calls on FDA to Lighten Up

November 8, 2011 By Leave a Comment

Michael Causey, Editor & Publisher, eDataIntegrityReport.com

The FDA has to speed up adoption of a “Benefit-Risk Framework” to improve decision-making in the regulatory process, said John Lechleiter, Ph.D., chairman, president and CEO of Eli Lilly and Company.

Speaking at recent industry conference, the CEO of the drug giant called for a regulatory process that focuses both on recognizing and appreciating benefits while identifying and minimizing risks. Such a balanced approach would help increase the flow of needed medicines to patients and reverse a trend of fewer new drugs getting approved, he said.

“The stakes are high,” Lechleiter said. “The only way to make inroads against [chronic and other] diseases is to sustain the pace of medical progress.”

The FDA appears to be a bit on the defensive here. It recently issued a report touting its record approving drugs it says demonstrates it isn’t stifling innovation at all thank you very much.

The backdrop to this battle is the upcoming reauthorization of the Prescription Drug User Fee Act (PDUFA) V. Originally enacted in 1992, PDUFA and its iterations set the foundation for how FDA will manage the drug review process for five years, beginning in October 2012.

Lilly’s Lechleiter stressed the importance of a non-partisan course for reauthorization. “As a basis for the drug review process, PDUFA is too important to get bogged down in partisan politics,” Lechleiter said. “As Congress considers reauthorization next year, we hope to see a ‘clean’ bill – one free of extraneous and controversial provisions that would politicize the bill and further complicate matters for all parties.”Lechleiter said the regulatory system must continue to evolve to meet 21st century needs.

Lechleiter offered five key characteristics of a “state of the art” regulatory approval system:

  1. Timely – “There are far too many conditions for which therapy is inadequate or nonexistent. We need a system that is not only effective, but efficient as well.”
  2. Predictable – “The system must be predictable in its judgments, its decisions, and the criteria on which those decisions were based – whether scientific, ethical, legal, etc.”
  3. Consistent – “The system must be consistent across review divisions using standardization and repeatable processes – so that an innovator clearly understands the regulatory requirements and so that institutional learning can be harnessed to replace time-consuming one-off learning by review groups and division.”
  4. Transparent – “The system needs to be transparent in its judgments and criteria so [stakeholders] understand the rationale for its decisions.”
  5. Scientifically rigorous – “This requires scientific expertise within the agency – or access to the expertise – that understands, engages in, and influences the constantly evolving external scientific environment and ensures that standards are up-to-date.”

Lechleiter also discussed ways to strengthen a medicine’s benefit and lower its risk, including calling for greater emphasis on improved outcomes for individual patients, through the development of tailored therapeutics.

“From the point of view of patients and their doctors, a tailored therapy will provide a better benefit/risk trade-off, because they can have a higher degree of confidence that it will work effectively and with minimal harmful side-effects relative to the benefit obtained,” said Lechleiter. “From a value-for-money standpoint, tailored medicines should also reduce the heavy costs associated with non-responders. In other words, payers will get what they are paying for.”

Cry havoc and let slip the dogs of war. This one isn’t over by a long-shot.

TwitterFacebookDiggDeliciousTechnorati FavoritesEmailPrintFriendlyShare
Filed Under: FDA Regulated, Michael Causey, Pharma/Biotech, Regulatory, Risk Management Tagged With: , , , ,

Managing NERC’s new Compliance Enforcement Initiative: Find, Fix, Track and Reporting Implementation

October 3, 2011 By 1 Comment

Vice President, Energy & Utilities Compliance, AssurX Inc.

On September 30th, 2011, NERC filed a new version of the Compliance Enforcement Initiative.  This is something that NERC, the Regional Entities, and the registered entities have been working on for a long time.  The primary focus has always been ensuring reliability of the Bulk Power System.  The registered entities have spent a lot of time and resources on implementation of the NERC and regional standards.  With my experience on both the utility side and the regulated side, I have personally seen the time it can take to process minor violations through the existing enforcement process.

This new process will be a huge improvement on moving potential violations through the pipeline and letting the regulator and entities focus on the higher risk to reliability.  NERC released their press statement that summarizes the new initiative:

“Through this initiative, NERC is looking to treat matters based upon the risk associated with them,” said Gerry Cauley, president and chief executive officer at NERC. “By identifying, mitigating and resolving issues that do not pose a serious risk to the reliability of the bulk power system, more resources can be focused on violations that do pose a risk to the grid.”

The compliance initiative is comprised of three possible tracks: dismissal; find, fix, track and report; and notice of penalty. The dismissal and notice of penalty tracks remain as currently managed; however, the find, fix, track and report track identifies possible violations that are of lesser risk to the grid and allows registered entities to mitigate them with no penalty or sanction applied. The registered entity must provide a statement of completion of mitigation activities, which is subject to verification by the Regional Entity.

The new initiative is a paradigm shift in how issues are processed, and reflects a risk-informed approach that recognizes all possible violations are not equal and should not be treated in the same manner. By focusing resources on violations that have a serious risk to the reliability of the bulk power system, NERC is able to better fulfill its mission to ensure the reliability of the bulk power system of North America.

I have written in previous blog posts the importance of registered entities to have a strong Culture of Compliance, including senior management accountability, proper compliance support, and instituting an internal corrective action program.  Many of the larger utilities that have nuclear facilities have had this in place for many years.  The mid-size and smaller companies still are trying to manage compliance by spreadsheets.

With the new compliance initiative that allows potential violations to be internally identified and managed through the “Find, Fix. Track and Report (FFT Report)” will allow all entities to improve their internal compliance program.  With the proper procedures, training, and software system, the the registered entities can identify potential issues entered into the software system and take the appropriate internal actions.  Corrective actions can be assigned, implemented and tracked to completion.  The AssurX software has been used for years to track issues, store reports and documentation, trend similar issues so that management can take steps to improve performance.  Reports and dashboards are in place to be reviewed by the organization.

More importantly, registered entities are now going to have the opportunity to show the regulators that they have a strong compliance culture in place.  When the regulator comes in for spot checks or audits, the registered entity should take this opportunity to demonstrate that they have implemented a FFT Reporting process and that any information or trending can readily be available from their compliance software application.  Some regions are actually giving scores to entities on how their Culture of Compliance is compared to other entities.  AssurX has worked with our customers by consulting them on how to implement corrective action programs, track and trend identified issues.

NERC FFT

AssurX's solution already addresses NERC's new FFT Initiative

We have actually been working to prepare for the roll-out of the “Find, Fix, Track and Report” compliance initiative, and have developed a process specific to the FFT Report requirements such as adding risk calculations, repeatable offenses, and VRF/VSL as identified with a particular standard.  Contact us to find out more information on how AssurX can support your organization on not just monitoring standards, automating self-certifications, and managing evidence through document management; but to help build a strong Culture of Compliance and implement a robust FFT Reporting process.

You can also follow Trey on Twitter.

TwitterFacebookDiggDeliciousTechnorati FavoritesEmailPrintFriendlyShare
Filed Under: Electric Reliability, Regulatory, Risk Management, Trey Kirkpatrick Tagged With: , , ,

Quality by Design (QbD) Pilot Presents Industry With New Challenges

September 7, 2011 By 2 Comments

Patrick Stone, President, TradeStone QA

What products will be affected by QbD? It will apply to new Marketing Authorization Applications (MAAs)/New Drug Applications (NDAs), Type II Variations/Prior-approval supplements (sNDA) and Scientific Advice requests/CMC formal meeting request that include QbD/PAT elements and are submitted to FDA & EU new applications, for MAAs/NDAs where the sponsor/applicant has agreed to a parallel evaluation by both agencies.

Upon request from the sponsor/applicant, and where procedural time-lines will allow, Type II Variations/NDAs may also be considered on a case by case basis. Right now this is a voluntary pilot with some pharma companies being tapped or nudged by FDA & EMA to join in.

Our geographically diverse health product market involves more contracting and outsourcing for many product components. Finished product real time testing and design space requirements will be crucial for implementing QbD.  ICH third party QA mandates will result from this pilot program.

QbD products will be as unique as the individuals who receive them (personalized medicine). This new model may impact two-thirds of the new health care products in the pipeline (cell therapies, gene therapies, and molecular entity therapy).   There will be many approaches to high order characterization and some are not cost effective at present.  Many of the details will take years to sort out. Collaborations between the FDA, Japan Ministry of Health, and  European Medicines agency will require funding along with mutual scientific trust.

Emerging technologies and laboratory techniques will be required to accomplish the QbD paradigm shift. FDA can’t continue using the chemistry approval model for biotechnology products.  This paradigm shift may increase development times and cost structures.  The ICH model will also bring mandatory third party QA review so prepare your models for this as well.

Here are the essential points to focus on for QbD products:

  1. Target the product profile,
  2. Determine CQAs (Critical Quality Attributes),
  3. Link raw material attributes and process parameters to CQAs,
  4. Risk assessment,
  5. Develop a design space,
  6. Design and implement a control strategy.

Generic Drug TabletThe biotechnology sector QbD product development focus will be on design space and real time release testing. The pilot discussion focus for both regulatory agencies will be on ensuring consistent implementation of ICH Q8, Q9, and Q10 guidelines in the assessment process and to facilitate sharing of regulatory discretion & new regulatory concepts manufacturers of small-molecule generic drugs have concerns the initial lag-time in course correcting for the QbD initiative may exponentially delay the application file time for their products.

It appears some generic-drug manufacturers are not willing to implement any QbD concepts until closer to final harmonization and discussion time frames.

Why do you need higher order structure modeling?  Higher order structure product applicants will have to provide protein folding kinetics models with characterization integration into the application and annual report.  Your research models and early development modeling may be progressed for this function. Personalized medicine with batch to batch consistency including stability of 1-90 days is recommended. There are also talking points about including variants and aggregates of your products in the higher order structure models.  Intra and inter chain disulfide bonding, aggregation, and complete polypeptide modeling may be requested application material.

This may prove to be more cost effective while two juggernauts (FDA & EMA) iron out the red tape that will flow from this type of global initiative.  If the funds necessary to make this effort progress are not available on the FDA or EMA, side delays in the process are inevitable.

Molecular and personalized medicine can’t continue to be reviewed with the FDA chemical entity systems approach, approval model.   Effective cancer therapies and molecular medicine may not have the statistical significance necessary when only a handful of patients are treated with the cell or gene therapy.

Warning to Industry: FDA will obviously not let you have your cake and eat it too.  Innovate inevitable change by comments to FDA or accept the QbD change that is inevitable.   Your comments to the FDA will be monitored on the FDA’s Facebook page and current open comment requests. Contact your respective FDA liaison or center contact for discussion points directly related to your product.

Patrick Stone is the author of Bubble Gum Badge – An FDA His-Story. You can also follow him on Twitter.

TwitterFacebookDiggDeliciousTechnorati FavoritesEmailPrintFriendlyShare
Filed Under: FDA Regulated, Patrick Stone, Pharma/Biotech, Quality Management, Regulatory, Risk Management Tagged With: , , , ,

How to Handle NERC’s Risk-Based Reliability Compliance Monitoring

July 7, 2011 By Leave a Comment

Vice President, Energy & Utilities Compliance, AssurX Inc.

As the Electric Reliability Organization (ERO) enters it’s fourth year as a mandatory entity, NERC and the Regional Entities have been working with the registered entities, FERC, and other stakeholders to improve reliability.  One of the latest topics being discussed at reliability workshops and meetings is the implementation of Risk-Based Reliability Compliance Monitoring.  What does this mean to a registered entity and how best to prepare for this change?

NERC and the Regional Entities have gathered enough data over the last four years to start the assessment to develop a risk-based reliability program.  Many mature industries have adopted the same type of approach in the past.  NERC has started to identify the core set of critical reliability standards to be audited and what areas are most crucial for reliability.  NERC has also been working over the years to assist registered entities on how to build strong compliance programs and what it takes to implement a culture of compliance within an organization.

NERC has identified some of the criteria to start developing a Risk-Based Reliability program, they include:

  • NERC top 20 list of allegedly violated reliability standards
  • High Violation Risk Factor (VRF)
  • Violation Risk Index (VRI)
  • Past reliability events and major reliability issues
  • Input from Regional Entities; especially from the audit teams and enforcement groups
  • Assessment of registered entities compliance program and compliance culture

Some Regional Entities are developing their own Compliance Surveys that will be sent out to their registered entities.  AssurX Compliance Services division has developed a white-paper outlining some of the key issues an organization should focus on to build an internal culture of compliance.  As the ERO matures, more attention should focus on sharing lessons-learned from events, improving critical reliability standards, and how a registered entity mitigates identified issues.

We will be writing more about the Risk-based Reliability Compliance monitoring program in future weeks.  Review our white-paper and contact us if you have more questions.

TwitterFacebookDiggDeliciousTechnorati FavoritesEmailPrintFriendlyShare
Filed Under: Electric Reliability, Risk Management, Trey Kirkpatrick Tagged With: , ,

Fact, Fiction or Just Good Old Fashioned Nonsense – EMP Speech From FERC Conference

February 10, 2011 By Leave a Comment

James Holler, Founder, Abidance Consulting

On February 8, 2011, FERC hosted a conference dealing with the security of the nation’s grid. I really wish I had been there so I could have called a lot of these people on the carpet about the garbage they were spewing forth! One of the “Chicken Little’s” that took time to try and scare people, Avi Schnurr of the Electric Infrastructure Security Council (EISC), gave a doomsday scenario without any language on how to prevent or recover from an EMP event.

If Mr. Schnurr had wanted to add any value to his speech, which by the way, was based on test data from 45-50 years ago, he would have stated that there is a fix for EMP events called a Faraday Shield. Mr. Schnurr could have continued on and told everyone that Faraday Shields are so common that they are used in everyday items such as cell phones, microwave ovens and even LCD televisions. The technology to fix the issue(s) stated by Mr. Schnurr has been around for more than 50 years.

When an individual or company gives you bad scenario after bad scenario of what will, and not what might occur, and not give a single example of a solution of even a hint of a solution, one should ask themselves what is this person’s ulterior motive?

It is solely my opinion that the only purpose Mr. Schnurr served was to scare the power industry into calling on the EISC for assistance — for a hefty fee I am sure. I could be wrong, but I doubt it. I have seen too many “snake oil salesmen” in my time.

James Holler is founder of Abidance Consulting.

TwitterFacebookDiggDeliciousTechnorati FavoritesEmailPrintFriendlyShare
Filed Under: Electric Reliability, James Holler, Risk Management Tagged With: ,

How Risky is Risk for FDA-Regulated Life Sciences Companies?

January 19, 2011 By 1 Comment

Russ King, Managing Partner, Methodsense

The simple word “Risk” is certainly one of the most frequently used terms in the contemporary Compliance Lexicon. It has become a cliché to say that the FDA advocates a “risk based approach.” Risk Management, Risk Assessment and Risk Mitigation are staples on the menus of virtually every life science conference and exhibition. Life Science publications behave similarly and as a case in point the tag line of the AssurX Blog site is “Compliance, quality and risk: Straight talk for regulated industries” (emphasis mine).

But what the heck is “risk”? Should the very nature of “risk” in and of itself really matter to life science companies on a level beyond scenarios of potential harm, SOP creation and record generation?

First, the (sophomoric) exercise of reviewing alternative definitions of risk to get us started:

  • risk = an unwanted event which may or may not occur.
  • risk = the cause of an unwanted event which may or may not occur.
  • risk = the probability of an unwanted event which may or may not occur.
  • risk = the statistical expectation value of an unwanted event which may or may not occur.
  • risk = the fact that a decision is made under conditions of known probabilities (“decision under risk” as opposed to “decision under uncertainty”)

All of these definitions, as well as others, have a couple of things in common: risk involves unwanted consequences and uncertainty. Obvious, right? (Remember this was a sophomoric exercise). Nevertheless, it is interesting to note that unwanted consequences and uncertainty are something we humans tend to fear and hate. Uncertainty is also generally unpopular with humans.

Now consider this within the context of a medical device, pharmaceutical or biotechnology company. Among the passions driving life science companies is scientific knowledge (humans love knowing) and the practical execution of knowledge on behalf of at least two other passions: improving the length and quality of our lives (something humans generally endorse on a wholesale basis) and economic success (a value that is a tad more controversial, but still generally endorsed by most of us). Not surprisingly, these two values are intimately connected: if a life science company can successfully improve our lives, we tend to be willing to pay for it.

Recall now that element of risk called ‘uncertainty’. Uncertainty seems to be diametrically opposed to knowledge, a core value of a science based endeavor. Uncertainty seems at cross purposes to the other passions of life science companies. There is nothing like the uncertainty about the performance of devices or drugs to keep them out of the market or drive buyers away. (But isn’t that the way things should work?)

How a life science company responds to uncertainty will tell you a lot. We have seen fear, fearlessness, dissembling behavior, aggressive truth seeking….you name it and everything in between.

Uncertainty has the powerful ability to threaten everything built by the driving passions of a life science company from market share to profitability. No wonder the reactions to uncertainty vary so greatly from organization to organization. But there is something special about uncertainty and the advocacy of a risk based approach that should be strongly embraced by life science companies.

Confronting and overcoming uncertainty means that at a level much deeper than SOPs and Quality Records we gain knowledge, the very kind of knowledge that fuels the passions of contributing to our welfare and success. Assessing and understanding risk, managing risk and mitigating risk accomplishes this by delivering a better understanding of a company’s products, their manufacture, new products, better operations, etc. which invariably creates greater opportunities to improve our lives and enhance our wealth.

Yes, peeling back the veil of uncertainty can reveal the possibility or even the probability of unwanted consequences. It is very difficult to keep the ‘bad’ out of everything. But the strength of successful life science companies comes from what they know, when they know it, and what they do with that knowledge. The more skillfully life science companies look for, root out, and drag risks into the appropriate (not just any) well lit forum, the more uncertainty is condemned to understanding. Consequently, the opportunity to forestall the possibility or reduce the probability of unwanted consequences improves dramatically.

In other words, risk is a lot more risky if you take the risk of not facing it.

Russ King is Managing Partner at MethodSense, Inc.

TwitterFacebookDiggDeliciousTechnorati FavoritesEmailPrintFriendlyShare
Filed Under: FDA Regulated, Medical Devices, Pharma/Biotech, Regulatory, Risk Management Tagged With: , , ,

Balance of “Spirit,” “Letter” of Life Sciences FDA Regulations Key to Compliance

November 9, 2010 By 3 Comments

Russ King, Managing Partner, MethodSense

While on a recent vendor audit of a contract research organization (CRO) we observed a situation we see over and over in this industry: Our client, the sponsor, was looking for compliance within the “spirit” of the regulations. But the CRO’s understanding of regulatory obligation was much narrower and driven by a strong emphasis on “procedures” which was principally informed by ICH E6 and their experience from relatively short one to two day audits by their clients / Sponsors: The CRO was seeking to comply with the “letter” of the regulations as they interpreted them.

And there’s the rub.

Separately, strictly following the “letter” or the “spirit” of the regulations can be problematic. Put them together in a contractual environment and the risk of conflict increases.

A company seeking to follow the letter of the regulations often approaches regulatory obligation as an externally imposed necessity. The company must somehow conform to the documentation requirements because to be cited as non compliant can harm their reputation, create greater regulatory oversight, interfere with contracts and revenue generation, or worse.

Such companies easily gravitate to a narrower interpretation of regulations with a checklist mentality of obligation and the belief that if they can address the checklist items, justify them, and conform to the checklist, then they’ll get a more cost effective path to compliance and achieve auditability. But such benefits are frequently limited because a check list mentality often means either achieving too little or too much in a compliance effort.

On the one hand, checklists can create inflexible approaches that generate costs. We’ve seen many companies using software for critical functions whose strict interpretation of 21 CFR Part 11 controls suggested a checklist of user and functional requirements that far and away exceeded their development budget. They would have achieved compliance by following the checklist, but at a cost that was unnecessary and without creating any real benefits. Once they adjusted their approach to accommodate the intent of Part 11 within the context of their current circumstances, they found a cost effective development solution that added value and achieved FDA compliance.

From another perspective, checklists can produce regulatory shortcomings that generate risk. Organizations that drive their quality culture with checklists tend to have great difficulty in extending good quality practices and oversight company-wide. We’ve seen many organizations with very superficially attractive SOPs but when their operations are examined closely the reach of those SOP’s do not extend with evidentiary assurances beyond what is normally reviewed during a superficial audit. For example, validation of software systems in support of a Sponsor’s project is often the subject of short cuts which can include missing requirements that identify the products’ intended use and informal or incomplete testing intended to replace formal validation. Such short cuts are easily hidden in thick binders of documentation where accountability for validation is difficult to establish without a trained eye. The consequence is the absence of clear accountability for data integrity and, therefore, a risk to the Sponsor’s data.

At the other end of the spectrum are companies whose quality compliance vision is driven by the spirit of the regulations. Typically we see this in Sponsors and their relationships with CROs. Sponsors believe that quality should somehow be imbued into the very fabric of an organization, a belief that can often manifest itself with a Sponsor expressing a quality vision that is made up by selecting for a particular set of tasks the most rigorous relevant regulations for guidance. For CROs, it becomes difficult to meet Sponsor expectations that leave the CRO confused or with the view that the Sponsor does not have clear expectations. As a result, the CRO too often assumes the role of defining for the Sponsor the expectations that the CRO will meet.

The root causes of the conflicts between Sponsors and CROs is primarily the lack of due diligence by the Sponsor to determine the “right fit” of the CRO and the unwillingness of the CRO to understand the expectations of the Sponsor. Sponsors should always thoroughly audit their vendors as part of their vendor selection process (not as justification for their vendor choice) and the Sponsor’s regulatory affairs / quality experts should have input on the vendor contract to ensure that their regulatory expectations are a point of contractual obligation. CROs should insist on fully vetting the Sponsor’s expectations before the engagement and be clear in advance what will be accomplished or where a compromise should be made during contract fulfillment. Failure in either regard can mean a costly change of scope down the road or unacceptable project risks.

Every life science company is different and every contractual relationship between life science companies creates opportunities for improvement. Having the right intentions does not by itself create auditable best practices. Generating auditability does not necessarily imply that a company is doing the right thing.

But the life sciences industry has a much better shot at fulfilling its public mission by integrating through cooperation both the Spirit as well as the Letter of the regulations.

Russ King is Managing Partner at MethodSense, Inc.

TwitterFacebookDiggDeliciousTechnorati FavoritesEmailPrintFriendlyShare
Filed Under: FDA Regulated, Quality Management, Regulatory, Risk Management Tagged With: , , ,

Are The NERC Requirements Strong Enough To Protect The Power Grid?

October 27, 2010 By Leave a Comment

James Holler, Founder, Abidance Consulting

The NERC requirements might help the people at NERC and the regions get a better night’s sleep, but a sound action plan, including situational awareness, is the only true way to get there — and ensure greater cybersecurity for all.

With so much at stake, NERC is faced with a daunting challenge of locking down the nation’s cyber infrastructure as it pertains to the power grid. NERC has forced registered entities to establish programs for securing their Critical Assets and Critical Cyber Assets that includes dedicated management, oversight, accountability of corporate officers, processes for securing IT systems, and mechanisms for measuring progress.

Of course, just meeting NERC requirements doesn’t mean a registered entity is secure. NERC should recognize its shortcomings and pass a measure that will, among other things, strengthen the role of an industry recognized leader like the National Institute of Standards and Technology in shaping cybersecurity requirements.

So, why is cybersecurity such a challenge? That’s a loaded question because today’s information infrastructure is a quandary. Some of the issues are:

Advanced Persistent Threat

Cyber criminals have become more sophisticated, outpacing defensive measures. Hackers constantly exploit weaknesses in popular products and create new techniques using viruses, rogue antivirus software, keystroke loggers, botnets, and other tools, for immediate targets or time-triggered actions.

New Dynamics

Registered entities have completely changed the way they communicate, interact and accomplish their missions. They’re sharing information in new, amazing and sometimes scary ways—from portals (regional scale for the most part) to social networking websites like LinkedIn. They’re even bringing trusted third parties into the fold. And their flexible IT model is establishing technology options that could present more risks, such as mobility and cloud computing.

Shared Risk

All of this is extending NERC’s reach into the critical infrastructure. Yet, 95% of that infrastructure is in the hands of the private sector. Risk to that infrastructure, information assets and private data is rampant with potentially deep and catastrophic consequences. The fact is, registered entities are giving more and more access to data and applications, a concept that runs counter to most security type of thinking. Traditional network security that relies on reactive measures simply isn’t enough.

Pay Closer Attention To Applications

Whether off-the-shelf or home-grown, most applications are not engineered with security in mind, so you need to ensure trusted development processes to maintain their integrity. Today, that means adhering to requirements set-forth by the NERC requirements. Trusted delivery is also critical — especially with innovations like cloud computing. Protecting the perimeter around applications is not a sufficient defense and you must extend security to the application layer. In every case, you need to be able to measure an application’s ability to process and handle sensitive information throughout its deployment lifecycle.

James Holler is founder of Abidance Consulting.

TwitterFacebookDiggDeliciousTechnorati FavoritesEmailPrintFriendlyShare
Filed Under: Electric Reliability, James Holler, Regulatory, Risk Management, Security Tagged With: , , ,

NERC Raises Stakes with ‘New Direction’ for CIP Standards

September 21, 2010 By Leave a Comment

Michael Causey, Editor & Publisher, eDataIntegrityReport.com

Complying with regulatory requirements might just have gotten a lot tougher for those involved in producing and protecting the nation’s power supply.

At its meeting on April 13–16, 2010, NERC decided it will be retiring the existing CIP standards and replace them with new ones starting at CIP-010. Since this announcement, NERC has tabled CIP-010 and CIP-011 until next year and are now focusing on CIP-002-4.

That sounds innocent enough, right?

Not so fast. “It’s a huge and significant change,” warns AssurX expert Paul Fricke. He’ll be leading a summit on NERC and power grid compliance issues later this month in Chicago. A highlight of that seminar will be a presentation by big power firm PG&E. Company exec Thomas Bilbo will explain how PG&E is developing an enterprise compliance management system using CATSWeb as the backbone. Areas covered include: internal and external compliance requirements/commitments, the connections with business processes, and the controls/methods/evidence to ensure compliance.

“We want feedback from industry about how these changes will impact them, and how we can help them to better handle these changes,” Paul says.

NERC’s latest moves mean, among other things, that regulated entities will have to track their self-certification tasks much more effectively.

CIP-010-1 establishes the foundation for a shift from identification of system elements to a focus upon the systems.

The draft standard requires BES Cyber Systems to be indentified and categorized in terms of impact (High, Medium, and Low) as well as identifying the systems essential functions. The functions and categorizations are outlined in the draft CIP-010-1 Reliability Standard.

CIP-011-1 establishes an array of  baseline cyber security requirements, which must be applied to protect the BES Cyber Systems identified and categorized in CIP 010-1 according their impact category.

So instead of a relatively vague set of rules, we’re looking at far more specific requirements in table format. “This will set the requirements in terms of low impact, medium and high,” Paul notes. For example, high impact system requirements, the new regulations might require action to be taken in a specific amount of time, say an hour or four hours, where in the past it may have been days or not even specified, Paul adds.

The comment period for this ended in June, and Paul says industry did weigh in with comments, but he also worries that industry may underestimate how much time and other resources this new bar for compliance may require.

“CIP-002-4  gets closer to where CIP-010-1 is going,” Paul notes. It seems to be a smaller step to clearly require classification of Critical Assets, but does not leap to BES System identification and classification…yet, he adds.

ASSURX NERC RESOURCE CENTER

AssurX NERC Compliance Information

Consultant James Holler’s regular NERC-related blog

TwitterFacebookDiggDeliciousTechnorati FavoritesEmailPrintFriendlyShare
Filed Under: Electric Reliability, Michael Causey, Regulatory, Risk Management Tagged With: , , ,
« Older Posts