Vice President, Energy & Utilities Compliance, AssurX Inc.

To continue the discussion on NERC’s new compliance enforcement initiative – Find, Fix, Track and Report (FFT Report),  there are a couple important things to consider as this new process is implemented.

NERC and the Regional Entities (RE) will be watching and reviewing the registered entities on prompt self-reporting of the potential violation, risk associated with the discovered issue, and the mitigating activities; either ones completed or the tasks that are underway.  The Regional Entities will be assigning a unique tracking number for the self-reports as they do now.  What will now take place during their evaluation is the severity of the risk to BPS, and the time discovered by the registered entity to the time reported to the RE.  NERC and the Regional Entities still urge all registered entities to notify their region as soon as a possible violation is discovered.

Registered entities with a strong compliance program will identify the potential violation and investigate internally with the proper resources as quickly as possible.  They will take immediate corrective actions to mitigate the discovered issue.  The registered entity will enter the issue into their corrective action tracking system and disposition to appropriate individual/department.  Such tracking systems trend and categorize all level of issues to assist management with identification of trends and areas of improvement.  This might initiate an internal self-assessment or even a root cause evaluation if the level has been determined severe.

The initiative that was submitted to FERC on September 30, 2011, stated that the registered entity’s compliance program, mitigation and corrective action programs, internal controls and culture of compliance will have an impact on how the Regional Entities evaluate the potential violation.  Key elements to promote these internal behaviors within an organization are:

• Effective identification
• Objective self-assessments
• Internal evaluations, tracking, fixing, and trending issues

Identification of even low-level issues can help prevent larger issues that could have a major impact on the BPS.  The proper environment that encourages employees to bring up and identify issues is an important step.  This can only be done if management fosters this environment and encourages and rewards employees for discovering issues.  Senior management that demonstrates this will be taking the proper steps for building a strong culture of compliance.

The next FFT Report blog post will discuss the importance of an internal self-assessment program looking at all aspects of a good compliance program to ensure that the registered entity build and maintain strong internal programs.

You can follow Trey on Twitter.

Vice President, Energy & Utilities Compliance, AssurX Inc.

On September 30^th, 2011, NERC filed a new version of the Compliance Enforcement Initiative.  This is something that NERC, the Regional Entities, and the registered entities have been working on for a long time.  The primary focus has always been ensuring reliability of the Bulk Power System.  The registered entities have spent a lot of time and resources on implementation of the NERC and regional standards.  With my experience on both the utility side and the regulated side, I have personally seen the time it can take to process minor violations through the existing enforcement process.

This new process will be a huge improvement on moving potential violations through the pipeline and letting the regulator and entities focus on the higher risk to reliability.  NERC released their press statement that summarizes the new initiative:

“Through this initiative, NERC is looking to treat matters based upon the risk associated with them,” said Gerry Cauley, president and chief executive officer at NERC. “By identifying, mitigating and resolving issues that do not pose a serious risk to the reliability of the bulk power system, more resources can be focused on violations that do pose a risk to the grid.”

The compliance initiative is comprised of three possible tracks: dismissal; find, fix, track and report; and notice of penalty. The dismissal and notice of penalty tracks remain as currently managed; however, the find, fix, track and report track identifies possible violations that are of lesser risk to the grid and allows registered entities to mitigate them with no penalty or sanction applied. The registered entity must provide a statement of completion of mitigation activities, which is subject to verification by the Regional Entity.

The new initiative is a paradigm shift in how issues are processed, and reflects a risk-informed approach that recognizes all possible violations are not equal and should not be treated in the same manner. By focusing resources on violations that have a serious risk to the reliability of the bulk power system, NERC is able to better fulfill its mission to ensure the reliability of the bulk power system of North America.

I have written in previous blog posts the importance of registered entities to have a strong Culture of Compliance, including senior management accountability, proper compliance support, and instituting an internal corrective action program.  Many of the larger utilities that have nuclear facilities have had this in place for many years.  The mid-size and smaller companies still are trying to manage compliance by spreadsheets.

With the new compliance initiative that allows potential violations to be internally identified and managed through the “Find, Fix. Track and Report (FFT Report)” will allow all entities to improve their internal compliance program.  With the proper procedures, training, and software system, the the registered entities can identify potential issues entered into the software system and take the appropriate internal actions.  Corrective actions can be assigned, implemented and tracked to completion.  The AssurX software has been used for years to track issues, store reports and documentation, trend similar issues so that management can take steps to improve performance.  Reports and dashboards are in place to be reviewed by the organization.

More importantly, registered entities are now going to have the opportunity to show the regulators that they have a strong compliance culture in place.  When the regulator comes in for spot checks or audits, the registered entity should take this opportunity to demonstrate that they have implemented a FFT Reporting process and that any information or trending can readily be available from their compliance software application.  Some regions are actually giving scores to entities on how their Culture of Compliance is compared to other entities.  AssurX has worked with our customers by consulting them on how to implement corrective action programs, track and trend identified issues.

AssurX's solution already addresses NERC's new FFT Initiative

We have actually been working to prepare for the roll-out of the “Find, Fix, Track and Report” compliance initiative, and have developed a process specific to the FFT Report requirements such as adding risk calculations, repeatable offenses, and VRF/VSL as identified with a particular standard.  Contact us to find out more information on how AssurX can support your organization on not just monitoring standards, automating self-certifications, and managing evidence through document management; but to help build a strong Culture of Compliance and implement a robust FFT Reporting process.

You can also follow Trey on Twitter.

Ron Lepofsky, President, ERE Information Security Auditors

Electrical utilities are already challenged with the process of becoming certified for compliance with the NERC CIP standard for IT security.

The NERC CIP standard is evolving, thank goodness. Perhaps you haven’t noticed the innocuous sounding proposed new standard now in the creation process. To me it looks like the heavyweight in the list of otherwise fairly general standards.

It’s called CIP 011-1 BES Cyber System Protection (in draft) and can be found at the end of the NERC CIP list of standards.

In order to understand this new standard in context, it is useful to look at the other existing standards which are as follows:

CIP 001-1 Sabotage Detection
CIP 002-1 Critical Cyber Asset Identification
CIP 003-1 Security Management Controls
CIP 004-1 Personnel and Training
CIP 005-1 Electronic Security Perimeter(s)
CIP 006-1 Physical Security of Critical Cyber Assets
CIP 007-1 Systems Security Management
CIP 008-1 Incident Reporting and Response Planning
CIP 009-1 Recovery Plans for Critical Cyber Assets
CIP 010-1 BES Cyber System Categorization ( in draft)
CIP 011-1 BES Cyber System Protection (in draft)

What’s Different about CIP 011-1

NERC CIP 011-1 puts a knockout punch into NERC CIP by defining very specific control points. These control points do not contradict other CIP standards but instead are drilldowns and complementary to them.

In my opinion 011-1 control points resemble NIST security control points defined in the document: Recommended Security Controls for Federal Information Systems and Organizations. The 011-1 control points, which I have listed below for clarity, will be costly to implement and to audit but I think they are specifying critical requirements to harden our electrical security grid.

CIP-011-1 Table R3 – Cyber Security Training
CIP-011-1 Table R3 – Cyber Security Training
CIP-011-1 Table R5 – Physical Security for BES Cyber Systems
CIP-011-1 Table R5 – Physical Security for BES Cyber Systems
CIP-011-1 Table R6 – Physical Access Control Systems
CIP-011-1 Table R7 – Account Management Specifications
CIP-011-1 Table R8 – Account Management Implementation
CIP-011-1 Table R9 – Access Revocation
CIP-011-1 Table R9 – Access Revocation
CIP-011-1 Table R10 – Account Access Control Specifications
CIP-011-1 Table R11 – Wireless and Remote Electronic Access Documentation
CIP-011-1 Table R12 – Wireless and Remote Electronic Access Management
CIP-011-1 Table R13 – Remote Access Revocation
CIP-011-1 Table R14 – Wireless and Remote Electronic Access Controls
CIP-011-1 Table R15 – Malicious Code
CIP-011-1 Table R16 – Security Patch Management
CIP-011-1 Table R17 – System Hardening
CIP-011-1 Table R18 – Security Event Monitoring
CIP-011-1 Table R19 – Communications and Data Integrity
CIP-011-1 Table R20 – Electronic Boundary Protection
CIP-011-1 Table R21 – System Boundary Protection
CIP-011-1 Table R22 – Protective Cyber Systems
CIP-011-1 Table R23 – Configuration Change Management
CIP-011-1 Table R23 – Configuration Change Management
CIP-011-1 Table R24 – Information Protection
CIP-011-1 Table R25 – Media Sanitization
CIP-011-1 Table R26 – Maintenance
CIP-011-1 Table R27 – Cyber Security Incident Response Plan Specifications
CIP-011-1 Table R28 – Cyber Security Incident Response Plan Testing Specifications
CIP-011-1 Table R29 – Cyber Security Incident Response Plan Review, Update, and Communication Specifications
CIP-011-1 Table R30 – Recovery Plan Specifications
CIP-011-1 Table R31 – Recovery Plan Testing Specifications
CIP-011-1 Table R32 – Recovery Plan Review, Update, and Communication Specifications

Wouldn’t it knock us all out if we find out critically important NIST standards are finally implemented by the custodians of our electrical grid?

Have a secure week. Ron Lepofsky CISSP, CISM, BA. SC. (mechanical) www.ere-security.ca

Vice President, Energy & Utilities Compliance, AssurX Inc.

As the Electric Reliability Organization (ERO) enters it’s fourth year as a mandatory entity, NERC and the Regional Entities have been working with the registered entities, FERC, and other stakeholders to improve reliability.  One of the latest topics being discussed at reliability workshops and meetings is the implementation of Risk-Based Reliability Compliance Monitoring.  What does this mean to a registered entity and how best to prepare for this change?

NERC and the Regional Entities have gathered enough data over the last four years to start the assessment to develop a risk-based reliability program.  Many mature industries have adopted the same type of approach in the past.  NERC has started to identify the core set of critical reliability standards to be audited and what areas are most crucial for reliability.  NERC has also been working over the years to assist registered entities on how to build strong compliance programs and what it takes to implement a culture of compliance within an organization.

NERC has identified some of the criteria to start developing a Risk-Based Reliability program, they include:

• NERC top 20 list of allegedly violated reliability standards
• High Violation Risk Factor (VRF)
• Violation Risk Index (VRI)
• Past reliability events and major reliability issues
• Input from Regional Entities; especially from the audit teams and enforcement groups
• Assessment of registered entities compliance program and compliance culture

Some Regional Entities are developing their own Compliance Surveys that will be sent out to their registered entities.  AssurX Compliance Services division has developed a white-paper outlining some of the key issues an organization should focus on to build an internal culture of compliance.  As the ERO matures, more attention should focus on sharing lessons-learned from events, improving critical reliability standards, and how a registered entity mitigates identified issues.

We will be writing more about the Risk-based Reliability Compliance monitoring program in future weeks.  Review our white-paper and contact us if you have more questions.

To view the latest NERC fines, go to http://www.nerc.com/filez/enforcement/index.html

Vice President, Energy & Utilities Compliance

As the Electric Reliability Organization (ERO) continues to mature and provide leadership for electric reliability, there have been many changes over the last four years. One of the most recent NERC initiatives is working with the industry on reliability excellence with a risk-based approach. Gerry Cauley, President and CEO of NERC, has continuously emphasized the “Five Key Success Factors” for building a foundation of public trust. These five key success factors include:

1. Risked based approach, with reliability performance measurably improving
2. Reliability-learning, self-correcting industry
3. Culture of compliance, enforcement backstop
4. Commitment to security/resilience of grid
5. Positive relationships and reputation

NERC and the Regional Entities will start conducting more reviews and assessments on registered entities regarding “Risk Based Compliance Monitoring.” All Regions are moving toward evaluations of internal compliance programs based on the FERC “13 questions” provided in the 2005 orders. Some Regional Entities are already sending surveys to their entities trying to learn more about the internal compliance culture in these organizations. They will be reviewing internal processes and procedures. They will also review such things as: the number of violations discovered via audits or investigations, repeat violations, number of mitigation plans, etc.

FERC Orders

Policy Statement on Enforcement Docket No. PL06-1-000, 113 FERC ¶ 61,068 (October 20, 2005)

Revised Policy Statement on Enforcement Docket No. PL08-3-000, 123 FERC ¶ 61,156 (May 18, 2008)

Policy Statement on Compliance Docket No. PL09-1-000,125 FERC ¶ 61,058 (October 16, 2008)

Policy Statement on Penalty Guidelines Docket No. PL10-4-000, 130 FERC ¶ 61,220 (March 18, 2010)  suspended on April 15, 2010

Revised Policy Statement on Penalty Guidelines Docket No. PL10-4-000,132 FERC ¶ 61,216 (October 17, 2010)

Many businesses in a regulated industry such as financial, life sciences, and nuclear industry have lived through these changes and have continuously improved their internal compliance and regulatory programs. Many have built strong Culture of Compliance programs. I have seen and been a part of some very strong Culture of Compliance programs. Some of the key elements of these programs are senior management involvement that provides strong leadership and holding individuals accountable. This is so important when implementing the critical elements of a Culture of Compliance.

Another important part of building a better compliance culture is establishing an organization that self-identifyies and self-corrects issues. One of the most important aspects of this internal initiative is implementing a robust corrective and preventive action (CAPA) program. Every individual in an organization must be trained on the process and tools of this program; management must continuously support the employees identifying issues; and preventative steps must be assigned and completed.

AssurX has developed a white paper on how to build the key elements of the “Culture of Compliance” program. Download your copy here to learn more.

You can also follow Trey on Twitter.

Built-in metrics, robust help files and an easy dashboard-centric user interface require minimal training to get up and running quickly.

AssurX One system consistently tracks, measures and demonstrates compliance for an array of NERC and regional standards and requirements, including annual policy reviews, to asset and cyber security management, and document control.

Included in the AssurX One program:

1. Best practices, pre-configured workflows (NERC gap analysis, self-certification schedules/calendars, document control, cyber security management), dashboards and metrics.
2. Hosted on a secure, OnDemand system with preloaded NERC and regional standards and automatic regulatory updates.
3. Web-based implementation and training. Tutorials provided for each workflow.
4. Exclusive industry focused compliance Webinars and workshops.

For more information, download the detailed brochure (PDF):

Trey Kirkpatrick, Vice President, Energy and Utilities Compliance, AssurX

AssurX is pleased to announce the appointment of Trey Kirkpatrick as Vice President, Energy and Utilities Compliance.  Prior to joining AssurX, Trey served as Manager, Compliance Implementation and Registration for the Northeast Power Coordinating Council (NPCC) where he was responsible for registering all entities that met the requirements of the NERC Statement of Registry Criteria. NPCC has over 305 companies registered that are responsible for over 600 functional responsibilities as owners, operators and users of the bulk-power system.

While at NPCC, Trey was chairman of the NPCC Compliance Committee (CC) reporting directly to the NPCC Board of Directors.  As chairman, he worked closely with NPCC staff and stakeholders to continuously improve the compliance monitoring and enforcement process at NPCC.  He was also chairman of the NERC and Regional Entities – Registration and Certification Working Group (RCWG) where he worked with the eight (8) regional entities and NERC on setting strategic priorities for registration and certification within North America.

Prior to NPCC, Trey served as Manager, Reliability Compliance at Northeast Utilities where he was the lead manager representing Northeast Utilities’ Operating Companies’ strategic and operational interests with the North American Electric Reliability Council (NERC). While at Northeast Utilities, he was in charge of oversight of all matters related to reliability rules, including rules development, internal compliance assessments, compliance reporting, compliance audits conducted by sanctioned regulatory authorities, and developed and maintained all necessary records demonstrating Northeast Utilities’ compliance on a system-wide basis.   Trey was also a representative on the NERC Compliance and Certification Committee (CCC), which is a stakeholder body working closely with NERC and Regional Entities.

Trey comes to AssurX with an extensive background in energy and utilities having spent the past 20 years in various engineering and compliance positions in the industry; including in nuclear power generations and transmission. He will contribute his leadership skills in expanding AssurX’s compliance products and services in North America’s energy and utilities industry.

You can follow Trey on Twitter: http://twitter.com/CATSWebER

According to Trey Kirkpatrick, VP, Energy and Utilities Compliance for AssurX, “With the emergence of the CIP standards into the NERC and Regional Entities CMEP program, registered entities are self-reporting more CIP violations.  The entities are finding that documentation of personnel training and system security management continue to be an area for improvement. The registered entities are taking action with proper mitigation plans that are approved by the Regional Entities and NERC. They are also continuing to learn from other areas such as; nuclear power and health sciences how to instill a ‘Culture of Compliance’ in their workforce.”

And, as stated in NERC’s February 2011 Newsletter:

The Department of Energy (DOE) is launching an initiative to enhance cyber security on the electric grid. The initiative, led by the Department¹s Office of Electricity Delivery and Energy Reliability (OE), the National Institute of Standards and Technology (NIST), and the North American Electric Reliability Corporation (NERC), will be an open collaboration with representatives from across the public and private sectors to develop a cybersecurity risk management process guideline for the electric sector.

The Regional Entities and NERC are also performing more on-site audits and spot-checks. They are discovering implementation inconsistencies between entities and are sharing those lessons learned with FERC and the registered entities.  NERC has standard teams currently revising the next version of the CIP standards.  AssurX will continue to follow these revisions in updates to our readers in future blogs.

James Holler, Founder, Abidance Consulting

As is evident by the latest round of financial penalties (February 23, 2011) from NERC, the time for forgiveness is over. $1,145,500 in financial penalties were handed down to 24 organizations according the latest statistics — and none were zero dollar fines.

With penalties ranging from $3,000 all the way up to a whopping $450,000, and with the average penalty at just under $48,000, now is the time to ensure that your NERC compliance program is tightened down.

In the past, we have stressed the importance of training your staff; testing your various procedures as well as maintenance programs for completeness and accuracy; and, using different methods and methodologies to ensure your NERC compliance program is complete and ready to be audited by your Regional Entity and/or NERC at a moment’s notice.

So, with that said, let’s go back over a check-list of the areas that you will need to ensure are addressed in order to keep from having your organization’s name listed on the NERC Enforcement Actions Web page.

The following list is in no particular order, so don’t think you need to follow this in chronological order.

• Internal Compliance Program (FERC Required — FERC released a guidance document on this back in 2008 — use it!)
• Pandemic (Critical Assets Only — Use the CIKR documentation on the DHS website as guidance)
• Facility Ratings Methodology (it better be more than one or two pages — ours average 39 pages)
• Maintenance and Testing programs for PRC-005 (don’t forget to include the basis for your testing AND the intervals — if in doubt, use the ANSI or IEEE standards as your basis)
• CIP-001 training for your staff (having your staff sign a piece of paper that they may or may not have read isn’t going to cut it, use a real training program)

This is a partial list of what needs to be addressed so that you don’t become a statistic. As I stress to our clients, don’t overlook anything. If in doubt, ask someone who knows what they are doing and preferably someone who has been down the audit path before. Always remember, just because you passed your last audit, doesn’t mean you are going to pass your next one. Stay alert, stay focused and above all, stay calm, it’s not as bad as it seems.

James Holler is founder of Abidance Consulting.