Scratching your head a bit when you read those new issues from NERC? You aren’t alone. Yes, it’s a complicated issue, but arguably NERC isn’t making things easier with its sometimes vague, sometimes complex regulatory writing.

Lucky for us we’ve got Paul Fricke, Quality Manager with AssurX, to act as our interpreter.

His overall take? “We got some clarification and some elaboration, but bottom-line there really is not that much in these new issues,” Paul says. Paul cites a few relatively minor changes that are worth taking a quick look at, e.g., what are “appropriate parties” in CIP-001-1a, clarification about “end points” in CIP-005-1a and CIP-005-2a and Electronic Security Perimeters/Physical Security Perimeters in CIP-006-1c and CIP-006-2c.

Paul elaborates on what it all means, “the big take away is that NERC is active in adding interpretations to NERC Standards to aid in ensuring that registered entities understand the intent of the requirements and how they expect them to be applied.”

It’s also important to note that these new issues aren’t exactly a done deal. They are issued by NERC but are waiting for regulatory approval, with a “TBD” effective date.

Stay tuned.

Editor’s Note: Got a question about all of this? Reach out to Paul at pfricke@assurx.com

Click here for more information about NERC compliance.

WHEN: Thursday, January 28, 2010 – 10 am – 2pm (Pacific)

REGISTER: https://www2.gotomeeting.com/register/554360930

WHO SHOULD ATTEND: All AssurX Energy/Utility Customers

AGENDA:

How to Manage NERC CIP Workflows & Documentation
NERC CIP Compliance Management – CIP-002 thru CIP-009 reached the Auditably Compliant stage July 1st, 2009. In this talk we will take a look at best practices for managing CIP workflows including configuration change management and process/plan review workflows.

How to Manage a NERC Compliance Framework
Part of a NERC audit includes submitting information about how your internal documentation (i.e. procedures, policies, etc.) relates to each applicable requirement. This presentation will demonstrate how CATSWeb ER can be used to establish this compliance framework.

NERC Standard Update Service
View how the NERC Standard Update Service is used to import new NERC standards and file attachments into your CATSWeb ER system.

Self Certification
Using the new CATSWeb 16Q Service Pack rules engine, view how your self-certification preparation process can be automated to create and assign all Gap Analysis records and monitor when all Gaps have been completed.

Using CATSWeb for PRC-005-1 Compliance
Demonstration of CATSWeb configured as a standalone system as well as an integration hub with various Work Order Management, ERP and Test Systems assuring that assets which effect the BES are in PRC-005-1 compliance.

Taking your CATSWeb ER system beyond your expectations
An opportunity to learn how companies use CATSWeb ER to steamline the management of documents, assets, approvals, certifications, testing, exceptions, etc.

Sessions will last anywhere from 20 – 45 minutes each and will be followed by a 5 – 10 minute Q&A, as well as a midway break. This four hour event will be recorded and available for replay shortly afterwards. Presentations will be available for download immediately following the event.

In comments filed last month, the North American Electric Reliability Corporation (NERC) told the National Institute of Standards and Technology (NIST) that it should focus hard on coordination of standards as it works on its Proposed Framework for Smart Grid Interoperability Standards.

NERC simultaneously stressed the differences between the three types of proposed standards: Interoperability Standards, System Security Standards and Reliability Standards – and the ultimate need for streamlined, real coordination between the different standards.

“Although the voluntary Interoperabilty Standards proposed by NIST are designed to achieve a different purpose from the NERC mandatory Reliability Standards, it is critical to the continued reliability of the bulk power system that the two bodies of standards be compatible and complementary,” the Nov. 9th comment noted.

NERC also stressed the importance of cyber security to smart grid technologies and encouraged NIST to integrate adequate cyber security protection, at all levels (device, application, network and system) in the development of its Interoperabilty Standards.

While NERC CIP Reliability Standards provide for the reliable and safe operation of the bulk power system by preventing the unauthorized cyber and physical access to critical assets and critical cyber assets, NERC commented, there is a need to develop additional cyber security protection for distribution facilities in the development of Smart Grid Interoperability Standards to address, for example, security aspects of interoperability at the distribution level.

http://www.nerc.com/files/FinalNERCCommentsNIST_Smart_Grid_Framework_Document.pdf

Click here for more information about NERC Electric Reliability Compliance Solutions

The 2009 Annual AssurX Electric Reliability Special Interest Group Meeting was a great success. This year we met in Denver on June 9-10, 2009 and kicked the event off with a networking reception that mixed business and great conversations. During the conference sessions, we discussed the latest product upgrades for CATSWeb ER, which makes it easier to import new and revised NERC Standards and RSAWs.

In our open forum we learned about how everyone is using the product to manage compliance to the NERC Standards and much more. Presentations on CIP Compliance, Compliance Framework and a customer presentation were loaded with important, useful information. I want to thank RRI Energy for a very informative presentation on their NERC compliance process: recurring evidentiary documentation/
gap analysis process.

I also want to thank our customers and partners who participated in this great event. We look forward to the next one!

During the vendor search phase that started approximately a year prior to final selection, PG&E required three basic criteria: Vendor had to have a real product (no vaporware and no custom software), must have sold the product to at least one major utility, and had to have a proven GRC engine. One other criterion was that the system had to be on-premise.

After reducing the vendor count to three, all of them were invited to demonstrate the system using tightly scripted demo requirements created by PG&E.  In the end, PG&E said AssurX stood out for several reasons:

• The live demonstration presented by AssurX was “flawless” according to a member on the selection committee
• AssurX scored the highest in the requirements matrix – functionality was at the top of the list
• PG&E was extremely impressed with the whole sales process and support from AssurX – “they were open and honest from day one and they were able to demonstrate exactly what we were looking for”

In fact, the live demonstration of the system went so smoothly that PG&E commented how “deeply impressed” they were. “That looked way too easy,” said one attendee.  PG&E will be using the system for compliance, ethics and commitment tracking across the country and for internal auditing, NERC compliance, gas compliance and quality assurance.

Pacific Gas and Electric Company, incorporated in California in 1905, are one of the largest combination natural gas and electric utilities in the United States with approximately 20,000 employees and revenues of almost $15 billion.

Based on the latest information from NERC, the Critical Infrastructure Protection Standards, CIP-002 thru CIP-009 reach the Auditably Compliant stage on July 1st, 2009. Up until now most of us have been focusing on the Sabotage Reporting Standard, CIP-001. Most of the violations associated with CIP-001 are a result of not having an established contact with the FBI for sabotage reporting or for deficiencies in the procedures or training related to sabotage reporting. Given that CIP-001 is only one standard and is fairly simplistic as compared to the other eight standards we all assume that a lot more effort will be required for compliance.  We also assume there will be significantly more violations and significantly higher fines associated with CIP-002 thru CIP-009.

Given companies have limited resources and time it may be helpful to look at what is ‘common’ amongst these standards as they relate to processes and workflows. One process that repeatedly shows up in the requirements are reviews or assessments.  For example, CIP-006 Requirement 1.9 says that companies need to establish a process for ensuring that the physical security plan is reviewed at least annually. CIP-009 Requirement 1 says that companies should perform a review of their recovery plans for Critical Cyber Assets annually. While each of these processes must be tailored to meet their specific requirements, there are many common elements that can be leveraged to save time. For example a typical ‘review’ process includes the following steps:

• Initiate the review
• Perform the review and document any recommendations for change
• Approve the determination and recommendations
• Implement all approved changes
• Request approval that that changes were implemented and close the review
• Schedule the next review based on the required period

Once you have agreed on a general workflow you can then customize the process to meet specific needs. For example, determine who should be approving recommend changes and closure for the specific processes being implemented. So prior to developing your workflows read through the entire set of CIP Standards and look for repeated processes. It may help you to save time and money. Let me know what processes you have found in the CIP Standards that may be repeated.

My heartfelt sympathies go out to anyone who has to wade through the new North American Electric Reliability Corporation’s (NERC) new cyber security standards.

Last week (May 6), NERC trumpeted the fact that eight revised cyber security standards for the North American bulk power system were approved by its independent Board of Trustees. That approval wrapped up phase one of NERC’s cyber security standards revision work plan, launched last July. “Work continues on phase two of the revision plan, with version three standards already under development” NERC said in a release that might inspire more fear in the hearts of those who must comply with, but first actually decipher, these regulations.

“I wouldn’t call these huge changes, but I might call them confusing ones,” Paul Fricke, Quality Manager at AssurX,  told me recently. “The effective dates are confusing and it’s not clear at all when some of the regulations actually take effect. For example CIP-007-2, Effective Date: The first day of the third calendar quarter after applicable regulatory approvals have been received (or the Reliability Standard otherwise becomes effective the first day of the third calendar quarter after BOT adoption in those jurisdictions where regulatory approval is not required).

On the plus side, Paul applauds that NERC removed vague and difficult to measure Violation Severity Level elements from the compliance section, e.g. CIP-006-2. On the down side, NERC punted on defining Violation Severity Levels (VSLs), saying they will define them later (CIP-002-2). Until they make those VSLs clear, “utilities will not necessarily know right away what their [potential] risk penalty is, and that’s assuming they’ve been able to define the risk level in the first place.”

But however you slice it, these standards need to be improved to include clear and concise information. The “Sanction Guidelines of the North American Electric Reliability Corporation” in “Appendix A: Base Penalty Amount Table” denotes a matrix of Violation Risk Factor by Violation Severity Level which is used to determine a fine range by the respective axis element. To assist stakeholder’s and users of the standards, it would seem reasonable to clearly define and specify these in the actual FERC approved standard. Instead, these (if defined at all) are referenced for the most part in separate documents (RSAWs, VSL Matrix, VRF Matrix) which may or may not be up to date on the NERC website. It’s time for NERC to step up and specify risk factors and violation severity levels in the NERC standards.

You can begin the search for the standards, effective dates, and your part in all of this here: http://www.nerc.com/filez/standards/Mandatory_Effective_Dates_United_States.html
Here’s a link to the actual news release: http://www.nerc.com/news_pr.php?npr=308